Merge pull request #1187 from gab-satchi/multi-tenancy-0.7

Multi tenancy support for v1alpha3

Author: k8s-ci-robot

api/v1alpha2/vspherecluster_conversion.go

@@ -48,7 +48,9 @@ func (src *VSphereCluster) ConvertTo(dstRaw conversion.Hub) error { // nolint
 	if dst.Spec.CloudProviderConfiguration.ProviderConfig.Cloud != nil {
 		dst.Spec.CloudProviderConfiguration.ProviderConfig.Cloud.ExtraArgs = restored.Spec.CloudProviderConfiguration.ProviderConfig.Cloud.ExtraArgs
 	}
-
+	if restored.Spec.IdentityRef != nil {
+		dst.Spec.IdentityRef = restored.Spec.IdentityRef
+	}
 	if restored.Spec.LoadBalancerRef != nil {
 		dst.Spec.LoadBalancerRef = restored.Spec.LoadBalancerRef
 	}

api/v1alpha3/condition_consts.go

@@ -47,14 +47,6 @@ const (
 	// while installing the container storage interface  addon; those kind of errors are usually transient
 	// the operation is automatically re-tried by the controller.
 	CSIProvisioningFailedReason = "CSIProvisioningFailed"
-
-	// VCenterAvailableCondition documents the connectivity with vcenter
-	// for a given VSphereCluster
-	VCenterAvailableCondition clusterv1.ConditionType = "VCenterAvailable"
-
-	// VCenterUnreachableReason (Severity=Error) documents a VSphereCluster controller detecting
-	// issues with VCenter reachability;
-	VCenterUnreachableReason = "VCenterUnreachable"
 )
 
 // Conditions and condition Reasons for the VSphereMachine and the VSphereVM object.
@@ -108,3 +100,24 @@ const (
 	// NOTE: This reason does not apply to VSphereVM (this state happens after the VSphereVM is in ready state).
 	WaitingForNetworkAddressesReason = "WaitingForNetworkAddresses"
 )
+
+// Conditions and Reasons related to utilizing a VSphereIdentity to make connections to a VCenter. Can currently be used by VSphereCluster and VSphereVM
+
+const (
+	// VCenterAvailableCondition documents the connectivity with vcenter
+	// for a given VSphereCluster
+	VCenterAvailableCondition clusterv1.ConditionType = "VCenterAvailable"
+
+	// VCenterUnreachableReason (Severity=Error) documents a VSphereCluster controller detecting
+	// issues with VCenter reachability;
+	VCenterUnreachableReason = "VCenterUnreachable"
+
+	// CredentialsAvailableCondidtion is used by VSphereClusterIdentity when a credential secret is available and unused by other VSphereClusterIdentities
+	CredentialsAvailableCondidtion clusterv1.ConditionType = "CredentialsAvailable"
+
+	// SecretNotAvailableReason is used when the secret referenced by the VSphereClusterIdentity cannot be found
+	SecretNotAvailableReason = "SecretNotAvailable"
+
+	// SecretAlreadyInUseReason is used when another VSphereClusterIdentity is using the secret
+	SecretAlreadyInUseReason = "SecretInUse"
+)

api/v1alpha3/vspherecluster_types.go

@@ -62,6 +62,11 @@ type VSphereClusterSpec struct {
 	// DEPRECATED: will be removed in v1alpha4
 	// +optional
 	LoadBalancerRef *corev1.ObjectReference `json:"loadBalancerRef,omitempty"`
+
+	// IdentityRef is a reference to either a Secret or VSphereClusterIdentity that contains
+	// the identity to use when reconciling the cluster.
+	// +optional
+	IdentityRef *VSphereIdentityReference `json:"identityRef,omitempty"`
 }
 
 // VSphereClusterStatus defines the observed state of VSphereClusterSpec

api/v1alpha3/vsphereclusteridentity_types.go

@@ -0,0 +1,104 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
+)
+
+const (
+	SecretIdentitySetFinalizer = "identity/infrastructure.cluster.x-k8s.io"
+)
+
+type VSphereClusterIdentitySpec struct {
+	// SecretName references a Secret inside the controller namespace with the credentials to use
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+
+	// AllowedNamespaces is used to identify which namespaces are allowed to use this account.
+	// Namespaces can be selected with a label selector.
+	// If this object is nil, no namespaces will be allowed
+	// +optional
+	AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces,omitempty"`
+}
+
+type VSphereClusterIdentityStatus struct {
+	// +optional
+	Ready bool `json:"ready,omitempty"`
+
+	// Conditions defines current service state of the VSphereCluster.
+	// +optional
+	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
+}
+
+type AllowedNamespaces struct {
+	// Selector is a standard Kubernetes LabelSelector. A label query over a set of resources.
+	// +optional
+	Selector metav1.LabelSelector `json:"selector"`
+}
+
+type VSphereIdentityKind string
+
+var (
+	VSphereClusterIdentityKind = VSphereIdentityKind("VSphereClusterIdentity")
+	SecretKind                 = VSphereIdentityKind("Secret")
+)
+
+type VSphereIdentityReference struct {
+	// Kind of the identity. Can either be VSphereClusterIdentity or Secret
+	// +kubebuilder:validation:Enum=VSphereClusterIdentity;Secret
+	Kind VSphereIdentityKind `json:"kind"`
+
+	// Name of the identity.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+}
+
+func (c *VSphereClusterIdentity) GetConditions() clusterv1.Conditions {
+	return c.Status.Conditions
+}
+
+func (c *VSphereClusterIdentity) SetConditions(conditions clusterv1.Conditions) {
+	c.Status.Conditions = conditions
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=vsphereclusteridentities,scope=Cluster,categories=cluster-api
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+
+// VSphereClusterIdentity defines the account to be used for reconciling clusters
+type VSphereClusterIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   VSphereClusterIdentitySpec   `json:"spec,omitempty"`
+	Status VSphereClusterIdentityStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// VSphereClusterIdentityList contains a list of VSphereClusterIdentity
+type VSphereClusterIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []VSphereClusterIdentity `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&VSphereClusterIdentity{}, &VSphereClusterIdentityList{})
+}