Honour resource id as key handle id

nb-goog · Nov 15, 2024 · f3589f3 · f3589f3
1 parent 3ddbfd3
commit f3589f3
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 32 deletions.
diff --git a/apis/kms/v1alpha1/keyhandle_reference.go b/apis/kms/v1alpha1/keyhandle_reference.go
@@ -21,7 +21,6 @@ import (
 
 	refsv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/k8s"
-	"github.com/google/uuid"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
@@ -103,22 +102,18 @@ func NewKMSKeyHandleRef(ctx context.Context, reader client.Reader, obj *KMSKeyHa
 	id.parent = &KMSKeyHandleParent{ProjectID: projectID, Location: location}
 
 	// Get desired ID
-	desiredHandleId := valueOf(obj.Spec.ResourceID)
-	if desiredHandleId != "" {
-		if _, err := uuid.Parse(desiredHandleId); err != nil {
-			return nil, fmt.Errorf("spec.resourceID should be in a UUID format, got %s ", desiredHandleId)
-		}
-	}
+	desiredHandleID := valueOf(obj.Spec.ResourceID)
 
 	// At this point we are expecting desiredHandleID to be either empty or valid uuid
 	// 1. if desiredHandleID empty:
 	// id.external will be projects/<pid>/locations/<loc>/keyHandles/. i.e without resourceID.
 	// A call will be made to find() with invalid externalID which will return false.
 	// 2. if desiredHandleID is a valid UUID: id.external will be valid.
+
 	// Use approved External
 	externalRef := valueOf(obj.Status.ExternalRef)
 	if externalRef != "" {
-		actualParent, actualHandleId, err := ParseKMSKeyHandleExternal(externalRef)
+		actualParent, actualHandleID, err := ParseKMSKeyHandleExternal(externalRef)
 		if err != nil {
 			return nil, err
 		}
@@ -129,20 +124,29 @@ func NewKMSKeyHandleRef(ctx context.Context, reader client.Reader, obj *KMSKeyHa
 		if actualParent.Location != location {
 			return nil, fmt.Errorf("spec.location changed, expect %s, got %s", actualParent.Location, location)
 		}
-		if desiredHandleId != "" && (actualHandleId != desiredHandleId) {
+		if desiredHandleID != "" && (actualHandleID != desiredHandleID) {
 			return nil, fmt.Errorf("cannot reset `spec.resourceID` to %s, since it has already assigned to %s",
-				desiredHandleId, actualHandleId)
+				desiredHandleID, actualHandleID)
 		}
 		id.External = externalRef
 		return id, nil
 	}
 	id.parent = &KMSKeyHandleParent{ProjectID: projectID, Location: location}
-	if desiredHandleId != "" {
-		id.External = id.parent.String() + "/keyHandles/" + desiredHandleId
-	}
+	id.External = id.parent.String() + "/keyHandles/" + desiredHandleID
 	return id, nil
 }
 
+func (r *KMSKeyHandleRef) KeyHandleID() (string, bool, error) {
+	if r.External != "" {
+		_, id, err := ParseKMSKeyHandleExternal(r.External)
+		if err != nil {
+			return "", false, err
+		}
+		return id, id != "", nil
+	}
+	return "", false, fmt.Errorf("KMSKeyHandleRef not normalized to External form or not created from `New()`")
+}
+
 func (r *KMSKeyHandleRef) Parent() (*KMSKeyHandleParent, error) {
 	if r.parent != nil {
 		return r.parent, nil

diff --git a/apis/kms/v1alpha1/keyhandle_types.go b/apis/kms/v1alpha1/keyhandle_types.go
@@ -29,7 +29,9 @@ var KMSKeyHandleGVK = GroupVersion.WithKind("KMSKeyHandle")
 type KMSKeyHandleSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ResourceID field is immutable"
 	// Immutable.
-	// The KMSKeyHandle name. If not given, the metadata.name will be used.
+	// The KMS Key Handle ID used for resource creation or acquisition.
+	// For creation: If specified, this value is used as the key handle ID. If not provided, a UUID will be generated and assigned as the key handle ID.
+	// For acquisition: This field must be provided to identify the key handle resource to acquire.
 	ResourceID *string `json:"resourceID,omitempty"`
 
 	// Project hosting KMSKeyHandle

diff --git a/pkg/controller/direct/kms/keyhandle/keyhandle_controller.go b/pkg/controller/direct/kms/keyhandle/keyhandle_controller.go
@@ -106,8 +106,11 @@ var _ directbase.Adapter = &Adapter{}
 func (a *Adapter) Find(ctx context.Context) (bool, error) {
 	log := klog.FromContext(ctx).WithName(ctrlName)
 	log.V(2).Info("getting KeyHandle", "name", a.id.External)
-	if a.id.External == "" {
-		// cannot retrieve the key handle without ServiceGeneratedID, expecting to create a new connection
+	_, idIsSet, err := a.id.KeyHandleID()
+	if err != nil {
+		return false, err
+	}
+	if !idIsSet {
 		return false, nil
 	}
 	req := &kmspb.GetKeyHandleRequest{Name: a.id.External}
@@ -138,9 +141,17 @@ func (a *Adapter) Create(ctx context.Context, createOp *directbase.CreateOperati
 	if err != nil {
 		return err
 	}
+	id, idIsSet, err := a.id.KeyHandleID()
+	if err != nil {
+		return err
+	}
+
 	req := &kmspb.CreateKeyHandleRequest{
-		Parent:    parent.String(),
-		KeyHandle: resource,
+		Parent:      parent.String(),
+		KeyHandle:   resource,
+	}
+	if idIsSet {
+		req.KeyHandleId = id
 	}
 	op, err := a.gcpClient.CreateKeyHandle(ctx, req)
 	if err != nil {

diff --git a/...xture/testdata/basic/kms/v1alpha1/kmskeyhandle/_generated_object_kmskeyhandle.golden.yaml b/...xture/testdata/basic/kms/v1alpha1/kmskeyhandle/_generated_object_kmskeyhandle.golden.yaml
@@ -12,7 +12,8 @@ metadata:
 spec:
   location: us-central1
   projectRef:
-    external: projects/${uniqueId}
+    external: projects/autokey-resource
+  resourceID: 5a4fa10e-995d-4ee0-a426-a220aa390320
   resourceTypeSelector: compute.googleapis.com/Disk
 status:
   conditions:
@@ -21,6 +22,7 @@ status:
     reason: UpToDate
     status: "True"
     type: Ready
-  externalRef: projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d
+  externalRef: projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320
   observedGeneration: 1
-  observedState: {}
+  observedState:
+    kmsKey: projects/${projectId}/locations/us-central1/keyRings/autokey/cryptoKeys/190012159962-compute-disk-b009b5dae13cd3c5
diff --git a/pkg/test/resourcefixture/testdata/basic/kms/v1alpha1/kmskeyhandle/_http.log b/pkg/test/resourcefixture/testdata/basic/kms/v1alpha1/kmskeyhandle/_http.log
@@ -1,9 +1,36 @@
-POST https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles?%24alt=json%3Benum-encoding%3Dint
+GET https://cloudkms.googleapis.com/v1/projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320?%24alt=json%3Benum-encoding%3Dint
 Content-Type: application/json
 User-Agent: kcc/controller-manager
-x-goog-request-params: parent=projects%2F${uniqueId}%2Flocations%2Fus-central1
+x-goog-request-params: name=projects%2Fautokey-resource%2Flocations%2Fus-central1%2FkeyHandles%2F5a4fa10e-995d-4ee0-a426-a220aa390320
+
+404 Not Found
+Cache-Control: private
+Content-Type: application/json; charset=UTF-8
+Server: ESF
+Vary: Origin
+Vary: X-Origin
+Vary: Referer
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+X-Xss-Protection: 0
+
+{
+  "error": {
+    "code": 404,
+    "message": "KeyHandle projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320 not found.",
+    "status": "NOT_FOUND"
+  }
+}
+
+---
+
+POST https://cloudkms.googleapis.com/v1/projects/autokey-resource/locations/us-central1/keyHandles?%24alt=json%3Benum-encoding%3Dint&keyHandleId=5a4fa10e-995d-4ee0-a426-a220aa390320
+Content-Type: application/json
+User-Agent: kcc/controller-manager
+x-goog-request-params: parent=projects%2Fautokey-resource%2Flocations%2Fus-central1
 
 {
+  "name": "projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
   "resourceTypeSelector": "compute.googleapis.com/Disk"
 }
 
@@ -19,15 +46,18 @@ X-Frame-Options: SAMEORIGIN
 X-Xss-Protection: 0
 
 {
-  "name": "projects/${uniqueId}/locations/us-central1/operations/${operationID}"
+  "metadata": {
+    "@type": "type.googleapis.com/google.cloud.kms.v1.CreateKeyHandleMetadata"
+  },
+  "name": "projects/autokey-resource/locations/us-central1/operations/${operationID}"
 }
 
 ---
 
-GET https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/operations/${operationID}
+GET https://cloudkms.googleapis.com/v1/projects/autokey-resource/locations/us-central1/operations/${operationID}
 Content-Type: application/json
 User-Agent: kcc/controller-manager
-x-goog-request-params: name=projects%2F${uniqueId}%2Flocations%2Fus-central1%2Foperations%2F${operationID}
+x-goog-request-params: name=projects%2Fautokey-resource%2Flocations%2Fus-central1%2Foperations%2F${operationID}
 
 200 OK
 Cache-Control: private
@@ -42,20 +72,21 @@ X-Xss-Protection: 0
 
 {
   "done": true,
-  "name": "projects/${uniqueId}/locations/us-central1/operations/${operationID}",
+  "name": "projects/autokey-resource/locations/us-central1/operations/${operationID}",
   "response": {
     "@type": "type.googleapis.com/google.cloud.kms.v1.KeyHandle",
-    "name": "projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d",
+    "kmsKey": "projects/${projectId}/locations/us-central1/keyRings/autokey/cryptoKeys/190012159962-compute-disk-b009b5dae13cd3c5",
+    "name": "projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
     "resourceTypeSelector": "compute.googleapis.com/Disk"
   }
 }
 
 ---
 
-GET https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d?%24alt=json%3Benum-encoding%3Dint
+GET https://cloudkms.googleapis.com/v1/projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320?%24alt=json%3Benum-encoding%3Dint
 Content-Type: application/json
 User-Agent: kcc/controller-manager
-x-goog-request-params: name=projects%2F${uniqueId}%2Flocations%2Fus-central1%2FkeyHandles%2F5fe9854c-4a75-4ec9-8c27-c235754b981d
+x-goog-request-params: name=projects%2Fautokey-resource%2Flocations%2Fus-central1%2FkeyHandles%2F5a4fa10e-995d-4ee0-a426-a220aa390320
 
 200 OK
 Cache-Control: private
@@ -69,6 +100,7 @@ X-Frame-Options: SAMEORIGIN
 X-Xss-Protection: 0
 
 {
-  "name": "projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d",
+  "kmsKey": "projects/${projectId}/locations/us-central1/keyRings/autokey/cryptoKeys/190012159962-compute-disk-b009b5dae13cd3c5",
+  "name": "projects/autokey-resource/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
   "resourceTypeSelector": "compute.googleapis.com/Disk"
 }
diff --git a/pkg/test/resourcefixture/testdata/basic/kms/v1alpha1/kmskeyhandle/create.yaml b/pkg/test/resourcefixture/testdata/basic/kms/v1alpha1/kmskeyhandle/create.yaml
@@ -17,7 +17,8 @@ kind: KMSKeyHandle
 metadata:
   name: keyhandle-${uniqueId}
 spec:
+  resourceID: 5a4fa10e-995d-4ee0-a426-a220aa390320
   projectRef:
-    external: projects/${uniqueId}
+    external: projects/autokey-resource
   location: us-central1
   resourceTypeSelector: compute.googleapis.com/Disk