From 0f1a5c52c83494c037fa24013ef99997b1ae1f63 Mon Sep 17 00:00:00 2001 From: vaspahomov Date: Fri, 29 Oct 2021 13:00:04 +0500 Subject: [PATCH] Add Application, Role, Group, RoleAssignment support Signed-off-by: vaspahomov --- apis/azure.go | 2 + apis/rbac/rbac.go | 18 + apis/rbac/v1alpha1/doc.go | 21 + apis/rbac/v1alpha1/referencers.go | 68 +++ apis/rbac/v1alpha1/register.go | 62 +++ apis/rbac/v1alpha1/types.go | 206 +++++++++ apis/rbac/v1alpha1/zz_generated.deepcopy.go | 392 ++++++++++++++++++ apis/rbac/v1alpha1/zz_generated.managed.go | 189 +++++++++ .../rbac/v1alpha1/zz_generated.managedlist.go | 48 +++ examples/rbac/application.yaml | 13 + examples/rbac/roleassignment.yaml | 11 + examples/rbac/serviceprincipal.yaml | 11 + ...rbac.azure.crossplane.io_applications.yaml | 155 +++++++ ...c.azure.crossplane.io_roleassignments.yaml | 171 ++++++++ ...azure.crossplane.io_serviceprincipals.yaml | 165 ++++++++ pkg/clients/azure.go | 22 +- pkg/clients/rbac/fake/application.go | 51 +++ pkg/clients/rbac/fake/role_assignment.go | 50 +++ pkg/clients/rbac/fake/service_principal.go | 50 +++ pkg/controller/azure.go | 6 + pkg/controller/rbac/application/managed.go | 189 +++++++++ .../rbac/application/managed_test.go | 302 ++++++++++++++ pkg/controller/rbac/roleassignment/managed.go | 160 +++++++ .../rbac/roleassignment/managed_test.go | 281 +++++++++++++ .../rbac/serviceprincipal/managed.go | 152 +++++++ .../rbac/serviceprincipal/managed_test.go | 300 ++++++++++++++ 26 files changed, 3090 insertions(+), 5 deletions(-) create mode 100644 apis/rbac/rbac.go create mode 100644 apis/rbac/v1alpha1/doc.go create mode 100644 apis/rbac/v1alpha1/referencers.go create mode 100644 apis/rbac/v1alpha1/register.go create mode 100644 apis/rbac/v1alpha1/types.go create mode 100644 apis/rbac/v1alpha1/zz_generated.deepcopy.go create mode 100644 apis/rbac/v1alpha1/zz_generated.managed.go create mode 100644 apis/rbac/v1alpha1/zz_generated.managedlist.go create mode 100644 examples/rbac/application.yaml create mode 100644 examples/rbac/roleassignment.yaml create mode 100644 examples/rbac/serviceprincipal.yaml create mode 100644 package/crds/rbac.azure.crossplane.io_applications.yaml create mode 100644 package/crds/rbac.azure.crossplane.io_roleassignments.yaml create mode 100644 package/crds/rbac.azure.crossplane.io_serviceprincipals.yaml create mode 100644 pkg/clients/rbac/fake/application.go create mode 100644 pkg/clients/rbac/fake/role_assignment.go create mode 100644 pkg/clients/rbac/fake/service_principal.go create mode 100644 pkg/controller/rbac/application/managed.go create mode 100644 pkg/controller/rbac/application/managed_test.go create mode 100644 pkg/controller/rbac/roleassignment/managed.go create mode 100644 pkg/controller/rbac/roleassignment/managed_test.go create mode 100644 pkg/controller/rbac/serviceprincipal/managed.go create mode 100644 pkg/controller/rbac/serviceprincipal/managed_test.go diff --git a/apis/azure.go b/apis/azure.go index d2515dff..857653c4 100644 --- a/apis/azure.go +++ b/apis/azure.go @@ -26,6 +26,7 @@ import ( databasev1beta1 "github.com/crossplane/provider-azure/apis/database/v1beta1" keyvaultv1alpha1 "github.com/crossplane/provider-azure/apis/keyvault/v1alpha1" networkv1alpha3 "github.com/crossplane/provider-azure/apis/network/v1alpha3" + rbacv1alpha1 "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" storagev1alpha3 "github.com/crossplane/provider-azure/apis/storage/v1alpha3" azurev1alpha3 "github.com/crossplane/provider-azure/apis/v1alpha3" azurev1beta1 "github.com/crossplane/provider-azure/apis/v1beta1" @@ -42,6 +43,7 @@ func init() { databasev1beta1.SchemeBuilder.AddToScheme, keyvaultv1alpha1.SchemeBuilder.AddToScheme, networkv1alpha3.SchemeBuilder.AddToScheme, + rbacv1alpha1.SchemeBuilder.AddToScheme, storagev1alpha3.SchemeBuilder.AddToScheme, ) } diff --git a/apis/rbac/rbac.go b/apis/rbac/rbac.go new file mode 100644 index 00000000..c113ae50 --- /dev/null +++ b/apis/rbac/rbac.go @@ -0,0 +1,18 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package rbac contains Azure rbac API versions +package rbac diff --git a/apis/rbac/v1alpha1/doc.go b/apis/rbac/v1alpha1/doc.go new file mode 100644 index 00000000..7507fd9f --- /dev/null +++ b/apis/rbac/v1alpha1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1alpha1 contains managed resources for Azure rbac. +// +kubebuilder:object:generate=true +// +groupName=rbac.azure.crossplane.io +// +versionName=v1alpha1 +package v1alpha1 diff --git a/apis/rbac/v1alpha1/referencers.go b/apis/rbac/v1alpha1/referencers.go new file mode 100644 index 00000000..30159e40 --- /dev/null +++ b/apis/rbac/v1alpha1/referencers.go @@ -0,0 +1,68 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "context" + + "github.com/pkg/errors" + + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/crossplane/crossplane-runtime/pkg/reference" +) + +// ResolveReferences of this ServicePrincipal +func (mg *ServicePrincipal) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + // Resolve spec.applicationID + rsp, err := r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: mg.Spec.ForProvider.ApplicationID, + Reference: mg.Spec.ForProvider.ApplicationIDRef, + Selector: mg.Spec.ForProvider.ApplicationIDSelector, + To: reference.To{Managed: &Application{}, List: &ApplicationList{}}, + Extract: reference.ExternalName(), + }) + if err != nil { + return errors.Wrap(err, "spec.applicationID") + } + mg.Spec.ForProvider.ApplicationID = rsp.ResolvedValue + mg.Spec.ForProvider.ApplicationIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this ServicePrincipal +func (mg *RoleAssignment) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + rsp, err := r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: mg.Spec.ForProvider.PrincipalID, + Reference: mg.Spec.ForProvider.PrincipalIDRef, + Selector: mg.Spec.ForProvider.PrincipalIDSelector, + To: reference.To{Managed: &ServicePrincipal{}, List: &ServicePrincipalList{}}, + Extract: reference.ExternalName(), + }) + if err != nil { + return errors.Wrap(err, "spec.principalID") + } + mg.Spec.ForProvider.PrincipalID = rsp.ResolvedValue + mg.Spec.ForProvider.PrincipalIDRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/rbac/v1alpha1/register.go b/apis/rbac/v1alpha1/register.go new file mode 100644 index 00000000..56650871 --- /dev/null +++ b/apis/rbac/v1alpha1/register.go @@ -0,0 +1,62 @@ +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "reflect" + + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + Group = "rbac.azure.crossplane.io" + Version = "v1alpha1" +) + +var ( + // SchemeGroupVersion is group version used to register these objects + SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} +) + +// Application type metadata. +var ( + ApplicationKind = reflect.TypeOf(Application{}).Name() + ApplicationGroupKind = schema.GroupKind{Group: Group, Kind: ApplicationKind}.String() + ApplicationKindAPIVersion = ApplicationKind + "." + SchemeGroupVersion.String() + ApplicationGroupVersionKind = SchemeGroupVersion.WithKind(ApplicationKind) + + ServicePrincipalKind = reflect.TypeOf(ServicePrincipal{}).Name() + ServicePrincipalGroupKind = schema.GroupKind{Group: Group, Kind: ServicePrincipalKind}.String() + ServicePrincipalKindAPIVersion = ServicePrincipalKind + "." + SchemeGroupVersion.String() + ServicePrincipalGroupVersionKind = SchemeGroupVersion.WithKind(ServicePrincipalKind) + + RoleAssignmentKind = reflect.TypeOf(RoleAssignment{}).Name() + RoleAssignmentGroupKind = schema.GroupKind{Group: Group, Kind: RoleAssignmentKind}.String() + RoleAssignmentKindAPIVersion = RoleAssignmentKind + "." + SchemeGroupVersion.String() + RoleAssignmentGroupVersionKind = SchemeGroupVersion.WithKind(RoleAssignmentKind) +) + +func init() { + SchemeBuilder.Register(&Application{}, &ApplicationList{}) + SchemeBuilder.Register(&ServicePrincipal{}, &ServicePrincipalList{}) + SchemeBuilder.Register(&RoleAssignment{}, &RoleAssignmentList{}) +} diff --git a/apis/rbac/v1alpha1/types.go b/apis/rbac/v1alpha1/types.go new file mode 100644 index 00000000..3595d17d --- /dev/null +++ b/apis/rbac/v1alpha1/types.go @@ -0,0 +1,206 @@ +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +// ApplicationParameters parameters for an application. +type ApplicationParameters struct { + // AvailableToOtherTenants - Whether the application is available to other tenants. + // +optional + // +immutable + AvailableToOtherTenants *bool `json:"availableToOtherTenants,omitempty"` + + // DisplayName - The display name of the application. + // +optional + // +immutable + DisplayName *string `json:"displayName,omitempty"` + + // Homepage - The home page of the application. + // +optional + // +immutable + Homepage *string `json:"homepage,omitempty"` + + // IdentifierUris - A collection of URIs for the application. + // +optional + // +immutable + IdentifierURIs []string `json:"identifierUris,omitempty"` +} + +// An ApplicationSpec defines the desired state of an Application. +type ApplicationSpec struct { + xpv1.ResourceSpec `json:",inline"` + ForProvider ApplicationParameters `json:"forProvider"` +} + +// An ApplicationStatus represents the observed state of an Application. +type ApplicationStatus struct { + xpv1.ResourceStatus `json:",inline"` + + // ApplicationID - The application ID. + ApplicationID string `json:"applicationID,omitempty"` +} + +// +kubebuilder:object:root=true + +// A Application is a managed resource that represents an Application. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,azure} +type Application struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec ApplicationSpec `json:"spec"` + Status ApplicationStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// ApplicationList contains a list of Application items +type ApplicationList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Application `json:"items"` +} + +// An ServicePrincipalParameters defines the desired state of an ServicePrincipal. +type ServicePrincipalParameters struct { + // ApplicationID - The application ID. + // +optional + ApplicationID string `json:"applicationID,omitempty"` + + // ApplicationIDRef - A reference to the Application id. + // +optional + // +immutable + ApplicationIDRef *xpv1.Reference `json:"applicationIDRef,omitempty"` + + // ApplicationIDSelector - Select a reference to the Application id. + // +immutable + ApplicationIDSelector *xpv1.Selector `json:"applicationIDSelector,omitempty"` + + // AccountEnabled - whether or not the service principal account is enabled + // +optional + // +immutable + AccountEnabled *bool `json:"accountEnabled,omitempty"` +} + +// An ServicePrincipalSpec defines the desired state of an ServicePrincipal. +type ServicePrincipalSpec struct { + xpv1.ResourceSpec `json:",inline"` + ForProvider ServicePrincipalParameters `json:"forProvider"` +} + +// An ServicePrincipalStatus represents the observed state of an ServicePrincipal. +type ServicePrincipalStatus struct { + xpv1.ResourceStatus `json:",inline"` +} + +// +kubebuilder:object:root=true + +// A ServicePrincipal is a managed resource that represents an ServicePrincipal. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,azure} +type ServicePrincipal struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec ServicePrincipalSpec `json:"spec"` + Status ServicePrincipalStatus `json:"status,omitempty"` +} + +// An RoleAssignmentParameters defines the desired state of an RoleAssignment. +type RoleAssignmentParameters struct { + // PrincipalID - The principal ID assigned to the role. + // This maps to the ID inside the Active Directory. + // It can point to a user, service principal, or security group. + // +optional + PrincipalID string `json:"principalID,omitempty"` + + // PrincipalIDRef - A reference to the Principal id. + // +optional + // +immutable + PrincipalIDRef *xpv1.Reference `json:"principalIDRef,omitempty"` + + // PrincipalIDRef - Select a reference to the Principal id. + // +immutable + PrincipalIDSelector *xpv1.Selector `json:"principalIDSelector,omitempty"` + + // RoleID - The role definition ID. + // +immutable + // +kubebuilder:validation:Required + RoleID string `json:"roleID"` + + // Scope - The role assignment scope. + // +immutable + // +kubebuilder:validation:Required + Scope string `json:"scope"` +} + +// +kubebuilder:object:root=true + +// ServicePrincipalList contains a list of ServicePrincipal items +type ServicePrincipalList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ServicePrincipal `json:"items"` +} + +// An RoleAssignmentSpec defines the desired state of an RoleAssignment. +type RoleAssignmentSpec struct { + xpv1.ResourceSpec `json:",inline"` + ForProvider RoleAssignmentParameters `json:"forProvider"` +} + +// An RoleAssignmentStatus represents the observed state of an RoleAssignment. +type RoleAssignmentStatus struct { + xpv1.ResourceStatus `json:",inline"` +} + +// +kubebuilder:object:root=true + +// A RoleAssignment is a managed resource that represents an RoleAssignment. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,azure} +type RoleAssignment struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec RoleAssignmentSpec `json:"spec"` + Status RoleAssignmentStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// RoleAssignmentList contains a list of RoleAssignment items +type RoleAssignmentList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RoleAssignment `json:"items"` +} diff --git a/apis/rbac/v1alpha1/zz_generated.deepcopy.go b/apis/rbac/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..61af5842 --- /dev/null +++ b/apis/rbac/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,392 @@ +// +build !ignore_autogenerated + +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Application) DeepCopyInto(out *Application) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Application. +func (in *Application) DeepCopy() *Application { + if in == nil { + return nil + } + out := new(Application) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Application) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationList) DeepCopyInto(out *ApplicationList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Application, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationList. +func (in *ApplicationList) DeepCopy() *ApplicationList { + if in == nil { + return nil + } + out := new(ApplicationList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ApplicationList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationParameters) DeepCopyInto(out *ApplicationParameters) { + *out = *in + if in.AvailableToOtherTenants != nil { + in, out := &in.AvailableToOtherTenants, &out.AvailableToOtherTenants + *out = new(bool) + **out = **in + } + if in.DisplayName != nil { + in, out := &in.DisplayName, &out.DisplayName + *out = new(string) + **out = **in + } + if in.Homepage != nil { + in, out := &in.Homepage, &out.Homepage + *out = new(string) + **out = **in + } + if in.IdentifierURIs != nil { + in, out := &in.IdentifierURIs, &out.IdentifierURIs + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationParameters. +func (in *ApplicationParameters) DeepCopy() *ApplicationParameters { + if in == nil { + return nil + } + out := new(ApplicationParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationSpec) DeepCopyInto(out *ApplicationSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationSpec. +func (in *ApplicationSpec) DeepCopy() *ApplicationSpec { + if in == nil { + return nil + } + out := new(ApplicationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationStatus) DeepCopyInto(out *ApplicationStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationStatus. +func (in *ApplicationStatus) DeepCopy() *ApplicationStatus { + if in == nil { + return nil + } + out := new(ApplicationStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RoleAssignment) DeepCopyInto(out *RoleAssignment) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssignment. +func (in *RoleAssignment) DeepCopy() *RoleAssignment { + if in == nil { + return nil + } + out := new(RoleAssignment) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RoleAssignment) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RoleAssignmentList) DeepCopyInto(out *RoleAssignmentList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RoleAssignment, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssignmentList. +func (in *RoleAssignmentList) DeepCopy() *RoleAssignmentList { + if in == nil { + return nil + } + out := new(RoleAssignmentList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RoleAssignmentList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RoleAssignmentParameters) DeepCopyInto(out *RoleAssignmentParameters) { + *out = *in + if in.PrincipalIDRef != nil { + in, out := &in.PrincipalIDRef, &out.PrincipalIDRef + *out = new(v1.Reference) + **out = **in + } + if in.PrincipalIDSelector != nil { + in, out := &in.PrincipalIDSelector, &out.PrincipalIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssignmentParameters. +func (in *RoleAssignmentParameters) DeepCopy() *RoleAssignmentParameters { + if in == nil { + return nil + } + out := new(RoleAssignmentParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RoleAssignmentSpec) DeepCopyInto(out *RoleAssignmentSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssignmentSpec. +func (in *RoleAssignmentSpec) DeepCopy() *RoleAssignmentSpec { + if in == nil { + return nil + } + out := new(RoleAssignmentSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RoleAssignmentStatus) DeepCopyInto(out *RoleAssignmentStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssignmentStatus. +func (in *RoleAssignmentStatus) DeepCopy() *RoleAssignmentStatus { + if in == nil { + return nil + } + out := new(RoleAssignmentStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServicePrincipal) DeepCopyInto(out *ServicePrincipal) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipal. +func (in *ServicePrincipal) DeepCopy() *ServicePrincipal { + if in == nil { + return nil + } + out := new(ServicePrincipal) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServicePrincipal) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServicePrincipalList) DeepCopyInto(out *ServicePrincipalList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ServicePrincipal, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipalList. +func (in *ServicePrincipalList) DeepCopy() *ServicePrincipalList { + if in == nil { + return nil + } + out := new(ServicePrincipalList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServicePrincipalList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServicePrincipalParameters) DeepCopyInto(out *ServicePrincipalParameters) { + *out = *in + if in.ApplicationIDRef != nil { + in, out := &in.ApplicationIDRef, &out.ApplicationIDRef + *out = new(v1.Reference) + **out = **in + } + if in.ApplicationIDSelector != nil { + in, out := &in.ApplicationIDSelector, &out.ApplicationIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.AccountEnabled != nil { + in, out := &in.AccountEnabled, &out.AccountEnabled + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipalParameters. +func (in *ServicePrincipalParameters) DeepCopy() *ServicePrincipalParameters { + if in == nil { + return nil + } + out := new(ServicePrincipalParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServicePrincipalSpec) DeepCopyInto(out *ServicePrincipalSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipalSpec. +func (in *ServicePrincipalSpec) DeepCopy() *ServicePrincipalSpec { + if in == nil { + return nil + } + out := new(ServicePrincipalSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServicePrincipalStatus) DeepCopyInto(out *ServicePrincipalStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipalStatus. +func (in *ServicePrincipalStatus) DeepCopy() *ServicePrincipalStatus { + if in == nil { + return nil + } + out := new(ServicePrincipalStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/rbac/v1alpha1/zz_generated.managed.go b/apis/rbac/v1alpha1/zz_generated.managed.go new file mode 100644 index 00000000..43acf44b --- /dev/null +++ b/apis/rbac/v1alpha1/zz_generated.managed.go @@ -0,0 +1,189 @@ +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this Application. +func (mg *Application) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this Application. +func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetProviderConfigReference of this Application. +func (mg *Application) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this Application. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *Application) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetWriteConnectionSecretToReference of this Application. +func (mg *Application) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this Application. +func (mg *Application) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this Application. +func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetProviderConfigReference of this Application. +func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this Application. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *Application) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetWriteConnectionSecretToReference of this Application. +func (mg *Application) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + +// GetCondition of this RoleAssignment. +func (mg *RoleAssignment) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this RoleAssignment. +func (mg *RoleAssignment) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetProviderConfigReference of this RoleAssignment. +func (mg *RoleAssignment) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this RoleAssignment. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *RoleAssignment) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetWriteConnectionSecretToReference of this RoleAssignment. +func (mg *RoleAssignment) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this RoleAssignment. +func (mg *RoleAssignment) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this RoleAssignment. +func (mg *RoleAssignment) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetProviderConfigReference of this RoleAssignment. +func (mg *RoleAssignment) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this RoleAssignment. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *RoleAssignment) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetWriteConnectionSecretToReference of this RoleAssignment. +func (mg *RoleAssignment) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + +// GetCondition of this ServicePrincipal. +func (mg *ServicePrincipal) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this ServicePrincipal. +func (mg *ServicePrincipal) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetProviderConfigReference of this ServicePrincipal. +func (mg *ServicePrincipal) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this ServicePrincipal. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *ServicePrincipal) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetWriteConnectionSecretToReference of this ServicePrincipal. +func (mg *ServicePrincipal) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this ServicePrincipal. +func (mg *ServicePrincipal) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this ServicePrincipal. +func (mg *ServicePrincipal) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetProviderConfigReference of this ServicePrincipal. +func (mg *ServicePrincipal) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this ServicePrincipal. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *ServicePrincipal) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetWriteConnectionSecretToReference of this ServicePrincipal. +func (mg *ServicePrincipal) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/rbac/v1alpha1/zz_generated.managedlist.go b/apis/rbac/v1alpha1/zz_generated.managedlist.go new file mode 100644 index 00000000..061ea3c2 --- /dev/null +++ b/apis/rbac/v1alpha1/zz_generated.managedlist.go @@ -0,0 +1,48 @@ +/* +Copyright 2019 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this ApplicationList. +func (l *ApplicationList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + +// GetItems of this RoleAssignmentList. +func (l *RoleAssignmentList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + +// GetItems of this ServicePrincipalList. +func (l *ServicePrincipalList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/examples/rbac/application.yaml b/examples/rbac/application.yaml new file mode 100644 index 00000000..e4d90c07 --- /dev/null +++ b/examples/rbac/application.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.azure.crossplane.io/v1alpha1 +kind: Application +metadata: + name: example-app +spec: + forProvider: + availableToOtherTenants: false + displayName: exampleapp + homepage: https://exampleapp.com + identifierUris: + - https://exampleapp.com + providerConfigRef: + name: example \ No newline at end of file diff --git a/examples/rbac/roleassignment.yaml b/examples/rbac/roleassignment.yaml new file mode 100644 index 00000000..2d7bee47 --- /dev/null +++ b/examples/rbac/roleassignment.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.azure.crossplane.io/v1alpha1 +kind: RoleAssignment +metadata: + name: contributor-sp +spec: + forProvider: + roleID: /providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c + principalIDRef: + name: example-sp + providerConfigRef: + name: example diff --git a/examples/rbac/serviceprincipal.yaml b/examples/rbac/serviceprincipal.yaml new file mode 100644 index 00000000..06891649 --- /dev/null +++ b/examples/rbac/serviceprincipal.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.azure.crossplane.io/v1alpha1 +kind: ServicePrincipal +metadata: + name: example-sp +spec: + forProvider: + applicationIDRef: + name: example-app + accountEnabled: true + providerConfigRef: + name: example \ No newline at end of file diff --git a/package/crds/rbac.azure.crossplane.io_applications.yaml b/package/crds/rbac.azure.crossplane.io_applications.yaml new file mode 100644 index 00000000..a5772dd1 --- /dev/null +++ b/package/crds/rbac.azure.crossplane.io_applications.yaml @@ -0,0 +1,155 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: applications.rbac.azure.crossplane.io +spec: + group: rbac.azure.crossplane.io + names: + categories: + - crossplane + - managed + - azure + kind: Application + listKind: ApplicationList + plural: applications + singular: application + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Application is a managed resource that represents an Application. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An ApplicationSpec defines the desired state of an Application. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: ApplicationParameters parameters for an application. + properties: + availableToOtherTenants: + description: AvailableToOtherTenants - Whether the application is available to other tenants. + type: boolean + displayName: + description: DisplayName - The display name of the application. + type: string + homepage: + description: Homepage - The home page of the application. + type: string + identifierUris: + description: IdentifierUris - A collection of URIs for the application. + items: + type: string + type: array + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An ApplicationStatus represents the observed state of an Application. + properties: + applicationID: + description: ApplicationID - The application ID. + type: string + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from one status to another. + type: string + status: + description: Status of this condition; is it currently True, False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/package/crds/rbac.azure.crossplane.io_roleassignments.yaml b/package/crds/rbac.azure.crossplane.io_roleassignments.yaml new file mode 100644 index 00000000..eba70ed4 --- /dev/null +++ b/package/crds/rbac.azure.crossplane.io_roleassignments.yaml @@ -0,0 +1,171 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: roleassignments.rbac.azure.crossplane.io +spec: + group: rbac.azure.crossplane.io + names: + categories: + - crossplane + - managed + - azure + kind: RoleAssignment + listKind: RoleAssignmentList + plural: roleassignments + singular: roleassignment + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: A RoleAssignment is a managed resource that represents an RoleAssignment. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RoleAssignmentSpec defines the desired state of an RoleAssignment. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: An RoleAssignmentParameters defines the desired state of an RoleAssignment. + properties: + principalID: + description: PrincipalID - The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. + type: string + principalIDRef: + description: PrincipalIDRef - A reference to the Principal id. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + principalIDSelector: + description: PrincipalIDRef - Select a reference to the Principal id. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels is selected. + type: object + type: object + roleID: + description: RoleID - The role definition ID. + type: string + scope: + description: Scope - The role assignment scope. + type: string + required: + - roleID + - scope + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RoleAssignmentStatus represents the observed state of an RoleAssignment. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from one status to another. + type: string + status: + description: Status of this condition; is it currently True, False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/package/crds/rbac.azure.crossplane.io_serviceprincipals.yaml b/package/crds/rbac.azure.crossplane.io_serviceprincipals.yaml new file mode 100644 index 00000000..e7ecd072 --- /dev/null +++ b/package/crds/rbac.azure.crossplane.io_serviceprincipals.yaml @@ -0,0 +1,165 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: serviceprincipals.rbac.azure.crossplane.io +spec: + group: rbac.azure.crossplane.io + names: + categories: + - crossplane + - managed + - azure + kind: ServicePrincipal + listKind: ServicePrincipalList + plural: serviceprincipals + singular: serviceprincipal + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: A ServicePrincipal is a managed resource that represents an ServicePrincipal. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An ServicePrincipalSpec defines the desired state of an ServicePrincipal. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: An ServicePrincipalParameters defines the desired state of an ServicePrincipal. + properties: + accountEnabled: + description: AccountEnabled - whether or not the service principal account is enabled + type: boolean + applicationID: + description: ApplicationID - The application ID. + type: string + applicationIDRef: + description: ApplicationIDRef - A reference to the Application id. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + applicationIDSelector: + description: ApplicationIDSelector - Select a reference to the Application id. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels is selected. + type: object + type: object + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An ServicePrincipalStatus represents the observed state of an ServicePrincipal. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from one status to another. + type: string + status: + description: Status of this condition; is it currently True, False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/pkg/clients/azure.go b/pkg/clients/azure.go index 1272009a..cfd2d61d 100644 --- a/pkg/clients/azure.go +++ b/pkg/clients/azure.go @@ -113,14 +113,26 @@ func UseProvider(ctx context.Context, c client.Client, mg resource.Managed) (con if err := json.Unmarshal(s.Data[ref.Key], &m); err != nil { return nil, nil, errors.Wrap(err, errUnmarshalCredentialSecret) } - cfg := auth.NewClientCredentialsConfig(m[CredentialsKeyClientID], m[CredentialsKeyClientSecret], m[CredentialsKeyTenantID]) - cfg.AADEndpoint = m[CredentialsKeyActiveDirectoryEndpointURL] - cfg.Resource = m[CredentialsKeyResourceManagerEndpointURL] - - a, err := cfg.Authorizer() + a, err := NewResourceManagerAuthorizer(m) return m, a, errors.Wrap(err, errGetAuthorizer) } +// NewADGraphResourceIDAuthorizer creates new authorizer with ActiveDirectoryGraph +func NewADGraphResourceIDAuthorizer(creds map[string]string) (autorest.Authorizer, error) { + cfg := auth.NewClientCredentialsConfig(creds[CredentialsKeyClientID], creds[CredentialsKeyClientSecret], creds[CredentialsKeyTenantID]) + cfg.AADEndpoint = creds[CredentialsKeyActiveDirectoryEndpointURL] + cfg.Resource = creds[CredentialsKeyActiveDirectoryGraphResourceID] + return cfg.Authorizer() +} + +// NewResourceManagerAuthorizer creates new authorizer with ResourceManager +func NewResourceManagerAuthorizer(creds map[string]string) (autorest.Authorizer, error) { + cfg := auth.NewClientCredentialsConfig(creds[CredentialsKeyClientID], creds[CredentialsKeyClientSecret], creds[CredentialsKeyTenantID]) + cfg.AADEndpoint = creds[CredentialsKeyActiveDirectoryEndpointURL] + cfg.Resource = creds[CredentialsKeyResourceManagerEndpointURL] + return cfg.Authorizer() +} + // UseProviderConfig to return the necessary information to construct an Azure // client. func UseProviderConfig(ctx context.Context, c client.Client, mg resource.Managed) (content map[string]string, authorizer autorest.Authorizer, err error) { diff --git a/pkg/clients/rbac/fake/application.go b/pkg/clients/rbac/fake/application.go new file mode 100644 index 00000000..e65dbfa3 --- /dev/null +++ b/pkg/clients/rbac/fake/application.go @@ -0,0 +1,51 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac/graphrbacapi" + "github.com/Azure/go-autorest/autorest" +) + +var _ graphrbacapi.ApplicationsClientAPI = &MockApplicationsClient{} + +// MockApplicationsClient is a fake implementation of graphrbacapi.ApplicationsClientAPI. +type MockApplicationsClient struct { + graphrbacapi.ApplicationsClientAPI + + MockCreate func(ctx context.Context, parameters graphrbac.ApplicationCreateParameters) (result graphrbac.Application, err error) + MockDelete func(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) + MockGet func(ctx context.Context, applicationObjectID string) (result graphrbac.Application, err error) +} + +// Create calls the MockApplicationsClient's MockCreateOrUpdate method. +func (c *MockApplicationsClient) Create(ctx context.Context, parameters graphrbac.ApplicationCreateParameters) (result graphrbac.Application, err error) { + return c.MockCreate(ctx, parameters) +} + +// Delete calls the MockApplicationsClient's MockDelete method. +func (c *MockApplicationsClient) Delete(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) { + return c.MockDelete(ctx, applicationObjectID) +} + +// Get calls the MockApplicationsClient's MockGet method. +func (c *MockApplicationsClient) Get(ctx context.Context, applicationObjectID string) (result graphrbac.Application, err error) { + return c.MockGet(ctx, applicationObjectID) +} diff --git a/pkg/clients/rbac/fake/role_assignment.go b/pkg/clients/rbac/fake/role_assignment.go new file mode 100644 index 00000000..2edd89ab --- /dev/null +++ b/pkg/clients/rbac/fake/role_assignment.go @@ -0,0 +1,50 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization" + "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization/authorizationapi" +) + +var _ authorizationapi.RoleAssignmentsClientAPI = &MockRoleAssignmentClient{} + +// MockRoleAssignmentClient is a fake implementation of graphrbacapi.ApplicationsClientAPI. +type MockRoleAssignmentClient struct { + authorizationapi.RoleAssignmentsClientAPI + + MockCreate func(ctx context.Context, scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (result authorization.RoleAssignment, err error) + MockListForScopeComplete func(ctx context.Context, scope string, filter string) (result authorization.RoleAssignmentListResultIterator, err error) + MockDelete func(ctx context.Context, scope string, roleAssignmentName string) (result authorization.RoleAssignment, err error) +} + +// Create calls the MockRoleAssignmentClient's MockCreate method. +func (c *MockRoleAssignmentClient) Create(ctx context.Context, scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (result authorization.RoleAssignment, err error) { + return c.MockCreate(ctx, scope, roleAssignmentName, parameters) +} + +// Delete calls the MockRoleAssignmentClient's MockDelete method. +func (c *MockRoleAssignmentClient) Delete(ctx context.Context, scope string, roleAssignmentName string) (result authorization.RoleAssignment, err error) { + return c.MockDelete(ctx, scope, roleAssignmentName) +} + +// ListForScopeComplete calls the MockRoleAssignmentClient's MockListForScopeComplete method. +func (c *MockRoleAssignmentClient) ListForScopeComplete(ctx context.Context, scope string, filter string) (result authorization.RoleAssignmentListResultIterator, err error) { + return c.MockListForScopeComplete(ctx, scope, filter) +} diff --git a/pkg/clients/rbac/fake/service_principal.go b/pkg/clients/rbac/fake/service_principal.go new file mode 100644 index 00000000..6003f366 --- /dev/null +++ b/pkg/clients/rbac/fake/service_principal.go @@ -0,0 +1,50 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac/graphrbacapi" + "github.com/Azure/go-autorest/autorest" +) + +var _ graphrbacapi.ServicePrincipalsClientAPI = &MockServicePrincipalClient{} + +// MockServicePrincipalClient is a fake implementation of graphrbacapi.ServicePrincipalsClientAPI. +type MockServicePrincipalClient struct { + graphrbacapi.ServicePrincipalsClientAPI + MockCreate func(ctx context.Context, parameters graphrbac.ServicePrincipalCreateParameters) (result graphrbac.ServicePrincipal, err error) + MockDelete func(ctx context.Context, objectID string) (result autorest.Response, err error) + MockGet func(ctx context.Context, objectID string) (result graphrbac.ServicePrincipal, err error) +} + +// Create calls the MockServicePrincipalClient's MockCreate method. +func (c *MockServicePrincipalClient) Create(ctx context.Context, parameters graphrbac.ServicePrincipalCreateParameters) (result graphrbac.ServicePrincipal, err error) { + return c.MockCreate(ctx, parameters) +} + +// Delete calls the MockServicePrincipalClient's MockDelete method. +func (c *MockServicePrincipalClient) Delete(ctx context.Context, objectID string) (result autorest.Response, err error) { + return c.MockDelete(ctx, objectID) +} + +// Get calls the MockServicePrincipalClient's MockGet method. +func (c *MockServicePrincipalClient) Get(ctx context.Context, objectID string) (result graphrbac.ServicePrincipal, err error) { + return c.MockGet(ctx, objectID) +} diff --git a/pkg/controller/azure.go b/pkg/controller/azure.go index 34db8246..a5ff3862 100644 --- a/pkg/controller/azure.go +++ b/pkg/controller/azure.go @@ -38,6 +38,9 @@ import ( "github.com/crossplane/provider-azure/pkg/controller/keyvault/secret" "github.com/crossplane/provider-azure/pkg/controller/network/subnet" "github.com/crossplane/provider-azure/pkg/controller/network/virtualnetwork" + "github.com/crossplane/provider-azure/pkg/controller/rbac/application" + "github.com/crossplane/provider-azure/pkg/controller/rbac/roleassignment" + "github.com/crossplane/provider-azure/pkg/controller/rbac/serviceprincipal" "github.com/crossplane/provider-azure/pkg/controller/resourcegroup" "github.com/crossplane/provider-azure/pkg/controller/storage/account" "github.com/crossplane/provider-azure/pkg/controller/storage/container" @@ -58,6 +61,9 @@ func Setup(mgr ctrl.Manager, l logging.Logger, rl workqueue.RateLimiter, poll ti cosmosdb.Setup, virtualnetwork.Setup, subnet.Setup, + application.Setup, + roleassignment.Setup, + serviceprincipal.Setup, resourcegroup.Setup, account.Setup, container.Setup, diff --git a/pkg/controller/rbac/application/managed.go b/pkg/controller/rbac/application/managed.go new file mode 100644 index 00000000..fb34da1e --- /dev/null +++ b/pkg/controller/rbac/application/managed.go @@ -0,0 +1,189 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package application + +import ( + "context" + "time" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac/graphrbacapi" + "github.com/Azure/go-autorest/autorest/date" + "github.com/Azure/go-autorest/autorest/to" + "github.com/google/uuid" + "github.com/pkg/errors" + "k8s.io/client-go/util/workqueue" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/logging" + "github.com/crossplane/crossplane-runtime/pkg/meta" + "github.com/crossplane/crossplane-runtime/pkg/password" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" + azure "github.com/crossplane/provider-azure/pkg/clients" + azureclients "github.com/crossplane/provider-azure/pkg/clients" +) + +// Error strings. +const ( + errNotApplication = "managed resource is not an Application" + errCreateApplication = "cannot create Application" + errGetApplication = "cannot get Application" + errDeleteApplication = "cannot delete Application" +) + +// Setup adds a controller that reconciles Application. +func Setup(mgr ctrl.Manager, l logging.Logger, rl workqueue.RateLimiter, poll time.Duration) error { + name := managed.ControllerName(v1alpha1.ApplicationKind) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(controller.Options{ + RateLimiter: ratelimiter.NewDefaultManagedRateLimiter(rl), + }). + For(&v1alpha1.Application{}). + Complete(managed.NewReconciler(mgr, + resource.ManagedKind(v1alpha1.ApplicationGroupVersionKind), + // Override default initializers in case to remove NewNameAsExternalName Initializer + managed.WithInitializers(), + managed.WithConnectionPublishers(), + managed.WithExternalConnecter(&connecter{client: mgr.GetClient()}), + managed.WithReferenceResolver(managed.NewAPISimpleReferenceResolver(mgr.GetClient())), + managed.WithPollInterval(poll), + managed.WithLogger(l.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))))) +} + +type connecter struct { + client client.Client +} + +func (c *connecter) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) { + creds, _, err := azureclients.GetAuthInfo(ctx, c.client, mg) + if err != nil { + return nil, err + } + ta, err := azure.NewADGraphResourceIDAuthorizer(creds) + if err != nil { + return nil, err + } + ac := graphrbac.NewApplicationsClient(creds[azure.CredentialsKeyTenantID]) + ac.Authorizer = ta + return &external{c: ac}, nil +} + +type external struct { + c graphrbacapi.ApplicationsClientAPI +} + +func (e *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) { + s, ok := mg.(*v1alpha1.Application) + if !ok { + return managed.ExternalObservation{}, errors.New(errNotApplication) + } + if meta.GetExternalName(s) == "" { + return managed.ExternalObservation{}, nil + } + + az, err := e.c.Get(ctx, meta.GetExternalName(s)) + if azureclients.IsNotFound(err) { + return managed.ExternalObservation{}, nil + } + if err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errGetApplication) + } + + s.Status.ApplicationID = azure.ToString(az.AppID) + s.SetConditions(xpv1.Available()) + // TODO: drift detection + return managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: true, + }, nil +} + +func (e *external) Create(ctx context.Context, mg resource.Managed) (managed.ExternalCreation, error) { + s, ok := mg.(*v1alpha1.Application) + if !ok { + return managed.ExternalCreation{}, errors.New(errNotApplication) + } + pw, err := password.Generate() + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateApplication) + } + keyID, err := uuid.NewRandom() + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateApplication) + } + pc := newPasswordCredential(keyID.String(), pw) + p := graphrbac.ApplicationCreateParameters{ + AvailableToOtherTenants: s.Spec.ForProvider.AvailableToOtherTenants, + DisplayName: s.Spec.ForProvider.DisplayName, + Homepage: s.Spec.ForProvider.Homepage, + IdentifierUris: azure.ToStringArrayPtr(s.Spec.ForProvider.IdentifierURIs), + PasswordCredentials: &[]graphrbac.PasswordCredential{pc}, + } + rsp, err := e.c.Create(ctx, p) + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateApplication) + } + meta.SetExternalName(s, azure.ToString(rsp.ObjectID)) + return managed.ExternalCreation{ + ConnectionDetails: map[string][]byte{ + xpv1.ResourceCredentialsSecretPasswordKey: []byte(pw), + "keyID": []byte(keyID.String()), + }, + }, nil +} + +func (e *external) Update(ctx context.Context, mg resource.Managed) (managed.ExternalUpdate, error) { + // TODO: support updates + return managed.ExternalUpdate{}, nil +} + +func (e *external) Delete(ctx context.Context, mg resource.Managed) error { + s, ok := mg.(*v1alpha1.Application) + if !ok { + return errors.New(errNotApplication) + } + _, err := e.c.Delete(ctx, meta.GetExternalName(s)) + if azureclients.IsNotFound(err) { + return nil + } + return errors.Wrap(resource.IgnoreNotFound(err), errDeleteApplication) +} + +const ( + // TODO: creds autoupdate + appCredsValidYears = 5 +) + +func newPasswordCredential(keyID, secret string) graphrbac.PasswordCredential { + return graphrbac.PasswordCredential{ + StartDate: &date.Time{Time: time.Now()}, + EndDate: &date.Time{Time: time.Now().AddDate(appCredsValidYears, 0, 0)}, + KeyID: to.StringPtr(keyID), + Value: to.StringPtr(secret), + } +} diff --git a/pkg/controller/rbac/application/managed_test.go b/pkg/controller/rbac/application/managed_test.go new file mode 100644 index 00000000..214f35e4 --- /dev/null +++ b/pkg/controller/rbac/application/managed_test.go @@ -0,0 +1,302 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package application + +import ( + "context" + "net/http" + "testing" + + "github.com/crossplane/crossplane-runtime/pkg/meta" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/pkg/errors" + + "github.com/crossplane/provider-azure/pkg/clients/rbac/fake" + + "github.com/Azure/go-autorest/autorest" + "github.com/crossplane/crossplane-runtime/pkg/test" + "github.com/google/go-cmp/cmp" + + azure "github.com/crossplane/provider-azure/pkg/clients" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" +) + +const ( + name = "application" + homePage = "homePage" + uid = types.UID("definitely-a-uuid") +) + +var ( + ctx = context.Background() + errorBoom = errors.New("boom") +) + +type testCase struct { + name string + e managed.ExternalClient + r resource.Managed + want resource.Managed + wantErr error +} + +type applicationModifier func(*v1alpha1.Application) + +func withConditions(c ...xpv1.Condition) applicationModifier { + return func(r *v1alpha1.Application) { r.Status.ConditionedStatus.Conditions = c } +} + +func withExternalName(name string) applicationModifier { + return func(r *v1alpha1.Application) { meta.SetExternalName(r, name) } +} + +func application(sm ...applicationModifier) *v1alpha1.Application { + r := &v1alpha1.Application{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + UID: uid, + Finalizers: []string{}, + }, + Spec: v1alpha1.ApplicationSpec{ + ForProvider: v1alpha1.ApplicationParameters{ + AvailableToOtherTenants: azure.ToBoolPtr(true), + DisplayName: azure.ToStringPtr(name), + Homepage: azure.ToStringPtr(homePage), + IdentifierURIs: []string{homePage}, + }, + }, + Status: v1alpha1.ApplicationStatus{}, + } + + meta.SetExternalName(r, "") + + for _, m := range sm { + m(r) + } + + return r +} + +// Test that our Reconciler implementation satisfies the Reconciler interface. +var _ managed.ExternalClient = &external{} +var _ managed.ExternalConnecter = &connecter{} + +func TestCreate(t *testing.T) { + cases := []testCase{ + { + name: "NotApplication", + e: &external{c: &fake.MockApplicationsClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotApplication), + }, + { + name: "SuccessfulCreate", + e: &external{c: &fake.MockApplicationsClient{ + MockCreate: func(ctx context.Context, parameters graphrbac.ApplicationCreateParameters) (result graphrbac.Application, err error) { + return graphrbac.Application{}, nil + }, + }}, + r: application(), + want: application(), + }, + { + name: "FailedCreate", + e: &external{c: &fake.MockApplicationsClient{ + MockCreate: func(ctx context.Context, parameters graphrbac.ApplicationCreateParameters) (result graphrbac.Application, err error) { + return graphrbac.Application{}, errorBoom + }, + }}, + r: application(), + want: application(), + wantErr: errors.Wrap(errorBoom, errCreateApplication), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Create(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Create(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestObserve(t *testing.T) { + cases := []testCase{ + { + name: "NotApplication", + e: &external{c: &fake.MockApplicationsClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotApplication), + }, + { + name: "SuccessfulObserveNotCreated", + e: &external{c: &fake.MockApplicationsClient{}}, + r: application(), + want: application(), + }, + { + name: "SuccessfulObserveNotExist", + e: &external{c: &fake.MockApplicationsClient{ + MockGet: func(ctx context.Context, applicationObjectID string) (result graphrbac.Application, err error) { + return graphrbac.Application{}, autorest.DetailedError{StatusCode: http.StatusNotFound} + }, + }}, + r: application(withExternalName(name)), + want: application(withExternalName(name)), + }, + { + name: "SuccessfulObserveExists", + e: &external{c: &fake.MockApplicationsClient{ + MockGet: func(ctx context.Context, applicationObjectID string) (result graphrbac.Application, err error) { + return graphrbac.Application{}, nil + }, + }}, + r: application(withExternalName(name)), + want: application( + withConditions(xpv1.Available()), + withExternalName(name), + ), + }, + { + name: "FailedObserve", + e: &external{c: &fake.MockApplicationsClient{ + MockGet: func(ctx context.Context, applicationObjectID string) (result graphrbac.Application, err error) { + return graphrbac.Application{}, errorBoom + }, + }}, + r: application(withExternalName(name)), + want: application(withExternalName(name)), + wantErr: errors.Wrap(errorBoom, errGetApplication), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Observe(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Observe(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestUpdate(t *testing.T) { + cases := []testCase{ + { + name: "UpdateNotSupported", + e: &external{c: &fake.MockApplicationsClient{}}, + r: &v1alpha1.Application{}, + want: &v1alpha1.Application{}, + wantErr: nil, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Update(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Update(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestDelete(t *testing.T) { + cases := []testCase{ + { + name: "NotApplication", + e: &external{c: &fake.MockApplicationsClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotApplication), + }, + { + name: "Successful", + e: &external{c: &fake.MockApplicationsClient{ + MockDelete: func(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) { + return autorest.Response{}, nil + }, + }}, + r: application(), + want: application(), + }, + { + name: "SuccessfulNotFound", + e: &external{c: &fake.MockApplicationsClient{ + MockDelete: func(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) { + return autorest.Response{}, autorest.DetailedError{ + StatusCode: http.StatusNotFound, + } + }, + }}, + r: application(), + want: application(), + }, + { + name: "Failed", + e: &external{c: &fake.MockApplicationsClient{ + MockDelete: func(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) { + return autorest.Response{}, errorBoom + }, + }}, + r: application(), + want: application(), + wantErr: errors.Wrap(errorBoom, errDeleteApplication), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + err := tc.e.Delete(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Delete(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} diff --git a/pkg/controller/rbac/roleassignment/managed.go b/pkg/controller/rbac/roleassignment/managed.go new file mode 100644 index 00000000..ab5b842c --- /dev/null +++ b/pkg/controller/rbac/roleassignment/managed.go @@ -0,0 +1,160 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package roleassignment + +import ( + "context" + "fmt" + "time" + + "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization" + "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization/authorizationapi" + "github.com/google/uuid" + "github.com/pkg/errors" + "k8s.io/client-go/util/workqueue" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/logging" + "github.com/crossplane/crossplane-runtime/pkg/meta" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" + azure "github.com/crossplane/provider-azure/pkg/clients" + azureclients "github.com/crossplane/provider-azure/pkg/clients" +) + +// Error strings. +const ( + errNotRoleAssignment = "managed resource is not a RoleAssignment" + errCreateRoleAssignment = "cannot create RoleAssignment" + errRoleAssignmentUpdateNotSupported = "RoleAssignment updates not supported" + errGetRoleAssignment = "cannot get RoleAssignment" + errDeleteRoleAssignment = "cannot delete RoleAssignment" +) + +// Setup adds a controller that reconciles RoleAssignment. +func Setup(mgr ctrl.Manager, l logging.Logger, rl workqueue.RateLimiter, poll time.Duration) error { + name := managed.ControllerName(v1alpha1.RoleAssignmentKind) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(controller.Options{ + RateLimiter: ratelimiter.NewDefaultManagedRateLimiter(rl), + }). + For(&v1alpha1.RoleAssignment{}). + Complete(managed.NewReconciler(mgr, + resource.ManagedKind(v1alpha1.RoleAssignmentGroupVersionKind), + // Override default initializers in case to remove NewNameAsExternalName Initializer + managed.WithInitializers(), + managed.WithConnectionPublishers(), + managed.WithExternalConnecter(&connecter{client: mgr.GetClient()}), + managed.WithReferenceResolver(managed.NewAPISimpleReferenceResolver(mgr.GetClient())), + managed.WithLogger(l.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + )) +} + +type connecter struct { + client client.Client +} + +func (c *connecter) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) { + creds, auth, err := azureclients.GetAuthInfo(ctx, c.client, mg) + if err != nil { + return nil, err + } + subID := creds[azure.CredentialsKeySubscriptionID] + rac := authorization.NewRoleAssignmentsClient(subID) + rac.Authorizer = auth + _ = rac.AddToUserAgent(azure.UserAgent) + return &external{c: rac, subID: subID}, nil +} + +type external struct { + c authorizationapi.RoleAssignmentsClientAPI + subID string +} + +func (e *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) { + s, ok := mg.(*v1alpha1.RoleAssignment) + if !ok { + return managed.ExternalObservation{}, errors.New(errNotRoleAssignment) + } + name := "" + filter := fmt.Sprintf("principalId eq '%s'", s.Spec.ForProvider.PrincipalID) + l, err := e.c.ListForScopeComplete(ctx, s.Spec.ForProvider.Scope, filter) + if err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errGetRoleAssignment) + } + if l.NotDone() { + err := l.NextWithContext(ctx) + if err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errGetRoleAssignment) + } + name = azure.ToString(l.Value().Name) + } else { + // Not exist + return managed.ExternalObservation{}, nil + } + meta.SetExternalName(s, name) + s.SetConditions(xpv1.Available()) + return managed.ExternalObservation{ResourceExists: true, ResourceUpToDate: true}, nil +} + +func (e *external) Create(ctx context.Context, mg resource.Managed) (managed.ExternalCreation, error) { + s, ok := mg.(*v1alpha1.RoleAssignment) + if !ok { + return managed.ExternalCreation{}, errors.New(errNotRoleAssignment) + } + p := authorization.RoleAssignmentCreateParameters{RoleAssignmentProperties: &authorization.RoleAssignmentProperties{ + RoleDefinitionID: azure.ToStringPtr(fmt.Sprintf("/subscriptions/%s%s", e.subID, s.Spec.ForProvider.RoleID)), + PrincipalID: azure.ToStringPtr(s.Spec.ForProvider.PrincipalID), + }} + uuidName, err := uuid.NewRandom() + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateRoleAssignment) + } + name := uuidName.String() + _, err = e.c.Create(ctx, s.Spec.ForProvider.Scope, name, p) + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateRoleAssignment) + } + return managed.ExternalCreation{}, nil +} + +func (e *external) Update(ctx context.Context, mg resource.Managed) (managed.ExternalUpdate, error) { + // RoleAssignments updates not supported by sdk + return managed.ExternalUpdate{}, errors.New(errRoleAssignmentUpdateNotSupported) +} + +func (e *external) Delete(ctx context.Context, mg resource.Managed) error { + s, ok := mg.(*v1alpha1.RoleAssignment) + if !ok { + return errors.New(errNotRoleAssignment) + } + _, err := e.c.Delete(ctx, s.Spec.ForProvider.Scope, meta.GetExternalName(s)) + if azure.IsNotFound(err) { + return nil + } + return errors.Wrap(err, errDeleteRoleAssignment) +} diff --git a/pkg/controller/rbac/roleassignment/managed_test.go b/pkg/controller/rbac/roleassignment/managed_test.go new file mode 100644 index 00000000..39935b60 --- /dev/null +++ b/pkg/controller/rbac/roleassignment/managed_test.go @@ -0,0 +1,281 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package roleassignment + +import ( + "context" + "net/http" + "testing" + + "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization" + + "github.com/crossplane/crossplane-runtime/pkg/meta" + + "github.com/pkg/errors" + + "github.com/crossplane/provider-azure/pkg/clients/rbac/fake" + + "github.com/Azure/go-autorest/autorest" + "github.com/crossplane/crossplane-runtime/pkg/test" + "github.com/google/go-cmp/cmp" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" +) + +const ( + name = "roleAssignment" + scope = "scope" + uid = types.UID("definitely-a-uuid") +) + +var ( + ctx = context.Background() + errorBoom = errors.New("boom") +) + +type testCase struct { + name string + e managed.ExternalClient + r resource.Managed + want resource.Managed + wantErr error +} + +type roleAssignmentModifier func(*v1alpha1.RoleAssignment) + +func withConditions(c ...xpv1.Condition) roleAssignmentModifier { + return func(r *v1alpha1.RoleAssignment) { r.Status.ConditionedStatus.Conditions = c } +} + +func withExternalName(name string) roleAssignmentModifier { + return func(r *v1alpha1.RoleAssignment) { meta.SetExternalName(r, name) } +} + +func roleAssignment(sm ...roleAssignmentModifier) *v1alpha1.RoleAssignment { + r := &v1alpha1.RoleAssignment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + UID: uid, + Finalizers: []string{}, + }, + Spec: v1alpha1.RoleAssignmentSpec{ + ForProvider: v1alpha1.RoleAssignmentParameters{ + PrincipalID: string(uid), + RoleID: string(uid), + Scope: scope, + }, + }, + Status: v1alpha1.RoleAssignmentStatus{}, + } + + meta.SetExternalName(r, "") + + for _, m := range sm { + m(r) + } + + return r +} + +// Test that our Reconciler implementation satisfies the Reconciler interface. +var _ managed.ExternalClient = &external{} +var _ managed.ExternalConnecter = &connecter{} + +func TestCreate(t *testing.T) { + cases := []testCase{ + { + name: "NotRoleAssignment", + e: &external{c: &fake.MockRoleAssignmentClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotRoleAssignment), + }, + { + name: "SuccessfulCreate", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockCreate: func(ctx context.Context, scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (result authorization.RoleAssignment, err error) { + return authorization.RoleAssignment{}, nil + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "FailedCreate", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockCreate: func(ctx context.Context, scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (result authorization.RoleAssignment, err error) { + return authorization.RoleAssignment{}, errorBoom + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + wantErr: errors.Wrap(errorBoom, errCreateRoleAssignment), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Create(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Create(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestObserve(t *testing.T) { + cases := []testCase{ + { + name: "NotRoleAssignment", + e: &external{c: &fake.MockRoleAssignmentClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotRoleAssignment), + }, + { + name: "SuccessfulObserveNotExist", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockListForScopeComplete: func(ctx context.Context, scope string, filter string) (result authorization.RoleAssignmentListResultIterator, err error) { + return authorization.RoleAssignmentListResultIterator{}, nil + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "FailedObserve", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockListForScopeComplete: func(ctx context.Context, scope string, filter string) (result authorization.RoleAssignmentListResultIterator, err error) { + return authorization.RoleAssignmentListResultIterator{}, errorBoom + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + wantErr: errors.Wrap(errorBoom, errGetRoleAssignment), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Observe(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Observe(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestUpdate(t *testing.T) { + cases := []testCase{ + { + name: "UpdateNotSupported", + e: &external{c: &fake.MockRoleAssignmentClient{}}, + r: &v1alpha1.Application{}, + want: &v1alpha1.Application{}, + wantErr: errors.New(errRoleAssignmentUpdateNotSupported), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Update(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Update(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestDelete(t *testing.T) { + cases := []testCase{ + { + name: "NotRoleAssignment", + e: &external{c: &fake.MockRoleAssignmentClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: errors.New(errNotRoleAssignment), + }, + { + name: "Successful", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockDelete: func(ctx context.Context, scope string, roleAssignmentName string) (result authorization.RoleAssignment, err error) { + return authorization.RoleAssignment{}, nil + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "SuccessfulNotFound", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockDelete: func(ctx context.Context, scope string, roleAssignmentName string) (result authorization.RoleAssignment, err error) { + return authorization.RoleAssignment{}, autorest.DetailedError{ + StatusCode: http.StatusNotFound, + } + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "Failed", + e: &external{c: &fake.MockRoleAssignmentClient{ + MockDelete: func(ctx context.Context, scope string, roleAssignmentName string) (result authorization.RoleAssignment, err error) { + return authorization.RoleAssignment{}, errorBoom + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + wantErr: errors.Wrap(errorBoom, errDeleteRoleAssignment), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + err := tc.e.Delete(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Delete(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} diff --git a/pkg/controller/rbac/serviceprincipal/managed.go b/pkg/controller/rbac/serviceprincipal/managed.go new file mode 100644 index 00000000..bd1949be --- /dev/null +++ b/pkg/controller/rbac/serviceprincipal/managed.go @@ -0,0 +1,152 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package serviceprincipal + +import ( + "context" + "time" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac/graphrbacapi" + "github.com/Azure/go-autorest/autorest/to" + "github.com/pkg/errors" + "k8s.io/client-go/util/workqueue" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/logging" + "github.com/crossplane/crossplane-runtime/pkg/meta" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" + azure "github.com/crossplane/provider-azure/pkg/clients" + azureclients "github.com/crossplane/provider-azure/pkg/clients" +) + +// Error strings. +const ( + errNotServicePrincipal = "managed resource is not an ServicePrincipal" + errCreateServicePrincipal = "cannot create ServicePrincipal" + errGetServicePrincipal = "cannot get ServicePrincipal" + errDeleteServicePrincipal = "cannot delete ServicePrincipal" +) + +// Setup adds a controller that reconciles ServicePrincipal. +func Setup(mgr ctrl.Manager, l logging.Logger, rl workqueue.RateLimiter, poll time.Duration) error { + name := managed.ControllerName(v1alpha1.ServicePrincipalKind) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(controller.Options{ + RateLimiter: ratelimiter.NewDefaultManagedRateLimiter(rl), + }). + For(&v1alpha1.ServicePrincipal{}). + Complete(managed.NewReconciler(mgr, + resource.ManagedKind(v1alpha1.ServicePrincipalGroupVersionKind), + // Override default initializers in case to remove NewNameAsExternalName Initializer + managed.WithInitializers(), + managed.WithConnectionPublishers(), + managed.WithExternalConnecter(&connecter{client: mgr.GetClient()}), + managed.WithReferenceResolver(managed.NewAPISimpleReferenceResolver(mgr.GetClient())), + managed.WithPollInterval(poll), + managed.WithLogger(l.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))))) +} + +type connecter struct { + client client.Client +} + +func (c *connecter) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) { + creds, _, err := azureclients.GetAuthInfo(ctx, c.client, mg) + if err != nil { + return nil, err + } + ta, err := azure.NewADGraphResourceIDAuthorizer(creds) + if err != nil { + return nil, err + } + cl := graphrbac.NewServicePrincipalsClient(creds[azure.CredentialsKeyTenantID]) + cl.Authorizer = ta + return &external{c: cl}, nil +} + +type external struct { + c graphrbacapi.ServicePrincipalsClientAPI +} + +func (e *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) { + s, ok := mg.(*v1alpha1.ServicePrincipal) + if !ok { + return managed.ExternalObservation{}, errors.New(errNotServicePrincipal) + } + if meta.GetExternalName(s) == "" { + return managed.ExternalObservation{}, nil + } + _, err := e.c.Get(ctx, meta.GetExternalName(s)) + if azure.IsNotFound(err) { + return managed.ExternalObservation{}, nil + } + if err != nil { + return managed.ExternalObservation{}, errors.Wrap(err, errGetServicePrincipal) + } + s.SetConditions(xpv1.Available()) + // TODO: drift detection + return managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: true, + }, nil +} + +func (e *external) Create(ctx context.Context, mg resource.Managed) (managed.ExternalCreation, error) { + s, ok := mg.(*v1alpha1.ServicePrincipal) + if !ok { + return managed.ExternalCreation{}, errors.New(errNotServicePrincipal) + } + p := graphrbac.ServicePrincipalCreateParameters{ + AppID: to.StringPtr(s.Spec.ForProvider.ApplicationID), + AccountEnabled: s.Spec.ForProvider.AccountEnabled, + } + rsp, err := e.c.Create(ctx, p) + if err != nil { + return managed.ExternalCreation{}, errors.Wrap(err, errCreateServicePrincipal) + } + meta.SetExternalName(s, azure.ToString(rsp.ObjectID)) + return managed.ExternalCreation{}, nil +} + +func (e *external) Update(ctx context.Context, mg resource.Managed) (managed.ExternalUpdate, error) { + // TODO: support updates + return managed.ExternalUpdate{}, nil +} + +func (e *external) Delete(ctx context.Context, mg resource.Managed) error { + s, ok := mg.(*v1alpha1.ServicePrincipal) + if !ok { + return errors.New(errNotServicePrincipal) + } + _, err := e.c.Delete(ctx, meta.GetExternalName(s)) + if azure.IsNotFound(err) { + return nil + } + return errors.Wrap(err, errDeleteServicePrincipal) +} diff --git a/pkg/controller/rbac/serviceprincipal/managed_test.go b/pkg/controller/rbac/serviceprincipal/managed_test.go new file mode 100644 index 00000000..2a85123b --- /dev/null +++ b/pkg/controller/rbac/serviceprincipal/managed_test.go @@ -0,0 +1,300 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package serviceprincipal + +import ( + "context" + "net/http" + "testing" + + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + + azure "github.com/crossplane/provider-azure/pkg/clients" + + "github.com/crossplane/crossplane-runtime/pkg/meta" + + "github.com/pkg/errors" + + "github.com/crossplane/provider-azure/pkg/clients/rbac/fake" + + "github.com/Azure/go-autorest/autorest" + "github.com/crossplane/crossplane-runtime/pkg/test" + "github.com/google/go-cmp/cmp" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "github.com/crossplane/provider-azure/apis/rbac/v1alpha1" +) + +const ( + name = "servicePrincipal" + uid = types.UID("definitely-a-uuid") +) + +var ( + ctx = context.Background() + errorBoom = errors.New("boom") +) + +type testCase struct { + name string + e managed.ExternalClient + r resource.Managed + want resource.Managed + wantErr error +} + +type roleAssignmentModifier func(*v1alpha1.ServicePrincipal) + +func withConditions(c ...xpv1.Condition) roleAssignmentModifier { + return func(r *v1alpha1.ServicePrincipal) { r.Status.ConditionedStatus.Conditions = c } +} + +func withExternalName(name string) roleAssignmentModifier { + return func(r *v1alpha1.ServicePrincipal) { meta.SetExternalName(r, name) } +} + +func roleAssignment(sm ...roleAssignmentModifier) *v1alpha1.ServicePrincipal { + r := &v1alpha1.ServicePrincipal{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + UID: uid, + Finalizers: []string{}, + }, + Spec: v1alpha1.ServicePrincipalSpec{ + ForProvider: v1alpha1.ServicePrincipalParameters{ + ApplicationID: string(uid), + AccountEnabled: azure.ToBoolPtr(true), + }, + }, + Status: v1alpha1.ServicePrincipalStatus{}, + } + + meta.SetExternalName(r, "") + + for _, m := range sm { + m(r) + } + + return r +} + +// Test that our Reconciler implementation satisfies the Reconciler interface. +var _ managed.ExternalClient = &external{} +var _ managed.ExternalConnecter = &connecter{} + +func TestCreate(t *testing.T) { + cases := []testCase{ + { + name: "NotServicePrincipal", + e: &external{c: &fake.MockServicePrincipalClient{}}, + r: &v1alpha1.Application{}, + want: &v1alpha1.Application{}, + wantErr: errors.New(errNotServicePrincipal), + }, + { + name: "SuccessfulCreate", + e: &external{c: &fake.MockServicePrincipalClient{ + MockCreate: func(ctx context.Context, parameters graphrbac.ServicePrincipalCreateParameters) (result graphrbac.ServicePrincipal, err error) { + return graphrbac.ServicePrincipal{}, nil + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "FailedCreate", + e: &external{c: &fake.MockServicePrincipalClient{ + MockCreate: func(ctx context.Context, parameters graphrbac.ServicePrincipalCreateParameters) (result graphrbac.ServicePrincipal, err error) { + return graphrbac.ServicePrincipal{}, errorBoom + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + wantErr: errors.Wrap(errorBoom, errCreateServicePrincipal), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Create(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Create(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestObserve(t *testing.T) { + cases := []testCase{ + { + name: "NotServicePrincipal", + e: &external{c: &fake.MockServicePrincipalClient{}}, + r: &v1alpha1.Application{}, + want: &v1alpha1.Application{}, + wantErr: errors.New(errNotServicePrincipal), + }, + { + name: "SuccessfulObserveNotExist", + e: &external{c: &fake.MockServicePrincipalClient{ + MockGet: func(ctx context.Context, objectID string) (result graphrbac.ServicePrincipal, err error) { + return graphrbac.ServicePrincipal{}, nil + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "SuccessfulObserveNotCreated", + e: &external{c: &fake.MockServicePrincipalClient{}}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "SuccessfulObserveExists", + e: &external{c: &fake.MockServicePrincipalClient{ + MockGet: func(ctx context.Context, objectID string) (result graphrbac.ServicePrincipal, err error) { + return graphrbac.ServicePrincipal{}, nil + }, + }}, + r: roleAssignment(withExternalName(name)), + want: roleAssignment( + withConditions(xpv1.Available()), + withExternalName(name), + ), + }, + { + name: "FailedObserve", + e: &external{c: &fake.MockServicePrincipalClient{ + MockGet: func(ctx context.Context, objectID string) (result graphrbac.ServicePrincipal, err error) { + return graphrbac.ServicePrincipal{}, errorBoom + }, + }}, + r: roleAssignment(withExternalName(name)), + want: roleAssignment(withExternalName(name)), + wantErr: errors.Wrap(errorBoom, errGetServicePrincipal), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Observe(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Observe(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestUpdate(t *testing.T) { + cases := []testCase{ + { + name: "UpdateNotSupported", + e: &external{c: &fake.MockServicePrincipalClient{}}, + r: &v1alpha1.ServicePrincipal{}, + want: &v1alpha1.ServicePrincipal{}, + wantErr: nil, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, err := tc.e.Update(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Update(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +} + +func TestDelete(t *testing.T) { + cases := []testCase{ + { + name: "NotServicePrincipal", + e: &external{c: &fake.MockServicePrincipalClient{}}, + r: &v1alpha1.Application{}, + want: &v1alpha1.Application{}, + wantErr: errors.New(errNotServicePrincipal), + }, + { + name: "Successful", + e: &external{c: &fake.MockServicePrincipalClient{ + MockDelete: func(ctx context.Context, objectID string) (result autorest.Response, err error) { + return autorest.Response{}, nil + }, + }}, + r: roleAssignment(withExternalName(name)), + want: roleAssignment(withExternalName(name)), + }, + { + name: "SuccessfulNotFound", + e: &external{c: &fake.MockServicePrincipalClient{ + MockDelete: func(ctx context.Context, objectID string) (result autorest.Response, err error) { + return autorest.Response{}, autorest.DetailedError{ + StatusCode: http.StatusNotFound, + } + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + }, + { + name: "Failed", + e: &external{c: &fake.MockServicePrincipalClient{ + MockDelete: func(ctx context.Context, objectID string) (result autorest.Response, err error) { + return autorest.Response{}, errorBoom + }, + }}, + r: roleAssignment(), + want: roleAssignment(), + wantErr: errors.Wrap(errorBoom, errDeleteServicePrincipal), + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + err := tc.e.Delete(ctx, tc.r) + + if diff := cmp.Diff(tc.wantErr, err, test.EquateErrors()); diff != "" { + t.Errorf("tc.e.Delete(...): want error != got error:\n%s", diff) + } + + if diff := cmp.Diff(tc.want, tc.r, test.EquateConditions()); diff != "" { + t.Errorf("r: -want, +got:\n%s", diff) + } + }) + } +}