Merge pull request #4026 from gemmahou/resource-bigtable-authorizedview

Add bigtable authorizedview types, mappers, CRD and fuzzer

Author: google-oss-prow[bot]

apis/bigtable/v1alpha1/authorizedview_identity.go

@@ -0,0 +1,107 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	bigtablev1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/bigtable/v1beta1"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/apis/common/parent"
+
+	"github.com/GoogleCloudPlatform/k8s-config-connector/apis/common"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// AuthorizedViewIdentity defines the resource reference to BigtableAuthorizedView, which "External" field
+// holds the GCP identifier for the KRM object.
+type AuthorizedViewIdentity struct {
+	parent *bigtablev1beta1.TableIdentity
+	id     string
+}
+
+func (i *AuthorizedViewIdentity) String() string {
+	return i.parent.String() + "/authorizedViews/" + i.id
+}
+
+func (i *AuthorizedViewIdentity) ID() string {
+	return i.id
+}
+
+// New builds a AuthorizedViewIdentity from the Config Connector AuthorizedView object.
+func NewAuthorizedViewIdentity(ctx context.Context, reader client.Reader, obj *BigtableAuthorizedView) (*AuthorizedViewIdentity, error) {
+
+	// Get Parent
+	tableExternal, err := obj.Spec.TableRef.NormalizedExternal(ctx, reader, obj.GetNamespace())
+	if err != nil {
+		return nil, err
+	}
+	instanceIdentity, tableID, err := bigtablev1beta1.ParseTableExternal(tableExternal)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get desired ID
+	resourceID := common.ValueOf(obj.Spec.ResourceID)
+	if resourceID == "" {
+		resourceID = obj.GetName()
+	}
+	if resourceID == "" {
+		return nil, fmt.Errorf("cannot resolve resource ID")
+	}
+
+	// Use approved External
+	externalRef := common.ValueOf(obj.Status.ExternalRef)
+	if externalRef != "" {
+		// Validate desired with actual
+		actualParent, actualResourceID, err := ParseAuthorizedViewExternal(externalRef)
+		if err != nil {
+			return nil, err
+		}
+		if actualParent.Id != tableID {
+			return nil, fmt.Errorf("spec.groupRef changed, expect %s, got %s", actualParent.Id, tableID)
+		}
+		if actualResourceID != resourceID {
+			return nil, fmt.Errorf("cannot reset `metadata.name` or `spec.resourceID` to %s, since it has already assigned to %s",
+				resourceID, actualResourceID)
+		}
+	}
+	return &AuthorizedViewIdentity{
+		parent: &bigtablev1beta1.TableIdentity{
+			Parent: instanceIdentity,
+			Id:     tableID,
+		},
+		id: resourceID,
+	}, nil
+}
+
+func ParseAuthorizedViewExternal(external string) (*bigtablev1beta1.TableIdentity, string, error) {
+	tokens := strings.Split(external, "/")
+	if len(tokens) != 8 || tokens[0] != "projects" || tokens[2] != "instances" || tokens[4] != "tables" || tokens[6] != "authorizedViews" {
+		return nil, "", fmt.Errorf("format of BigtableAuthorizedView external=%q was not known (use projects/{{projectID}}/instances/{{instanceID}}/tables/{{tableID}}/authorizedViews/{{authorizedViewID}})", external)
+	}
+	p := &bigtablev1beta1.TableIdentity{
+		Parent: &bigtablev1beta1.InstanceIdentity{
+			Parent: &parent.ProjectParent{
+				ProjectID: tokens[1],
+			},
+			Id: tokens[3],
+		},
+		Id: tokens[5],
+	}
+	resourceID := tokens[7]
+	return p, resourceID, nil
+}

apis/bigtable/v1alpha1/authorizedview_reference.go

@@ -0,0 +1,83 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+
+	refsv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/k8s"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var _ refsv1beta1.ExternalNormalizer = &AuthorizedViewRef{}
+
+// AuthorizedViewRef defines the resource reference to BigtableAuthorizedView, which "External" field
+// holds the GCP identifier for the KRM object.
+type AuthorizedViewRef struct {
+	// A reference to an externally managed BigtableAuthorizedView resource.
+	// Should be in the format "projects/{{projectID}}/locations/{{location}}/authorizedviews/{{authorizedviewID}}".
+	External string `json:"external,omitempty"`
+
+	// The name of a BigtableAuthorizedView resource.
+	Name string `json:"name,omitempty"`
+
+	// The namespace of a BigtableAuthorizedView resource.
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// NormalizedExternal provision the "External" value for other resource that depends on BigtableAuthorizedView.
+// If the "External" is given in the other resource's spec.BigtableAuthorizedViewRef, the given value will be used.
+// Otherwise, the "Name" and "Namespace" will be used to query the actual BigtableAuthorizedView object from the cluster.
+func (r *AuthorizedViewRef) NormalizedExternal(ctx context.Context, reader client.Reader, otherNamespace string) (string, error) {
+	if r.External != "" && r.Name != "" {
+		return "", fmt.Errorf("cannot specify both name and external on %s reference", BigtableAuthorizedViewGVK.Kind)
+	}
+	// From given External
+	if r.External != "" {
+		if _, _, err := ParseAuthorizedViewExternal(r.External); err != nil {
+			return "", err
+		}
+		return r.External, nil
+	}
+
+	// From the Config Connector object
+	if r.Namespace == "" {
+		r.Namespace = otherNamespace
+	}
+	key := types.NamespacedName{Name: r.Name, Namespace: r.Namespace}
+	u := &unstructured.Unstructured{}
+	u.SetGroupVersionKind(BigtableAuthorizedViewGVK)
+	if err := reader.Get(ctx, key, u); err != nil {
+		if apierrors.IsNotFound(err) {
+			return "", k8s.NewReferenceNotFoundError(u.GroupVersionKind(), key)
+		}
+		return "", fmt.Errorf("reading referenced %s %s: %w", BigtableAuthorizedViewGVK, key, err)
+	}
+	// Get external from status.externalRef. This is the most trustworthy place.
+	actualExternalRef, _, err := unstructured.NestedString(u.Object, "status", "externalRef")
+	if err != nil {
+		return "", fmt.Errorf("reading status.externalRef: %w", err)
+	}
+	if actualExternalRef == "" {
+		return "", k8s.NewReferenceNotReadyError(u.GroupVersionKind(), key)
+	}
+	r.External = actualExternalRef
+	return r.External, nil
+}

apis/bigtable/v1alpha1/authorizedview_types.go

@@ -0,0 +1,115 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	bigtablev1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/bigtable/v1beta1"
+	refv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/apis/k8s/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var BigtableAuthorizedViewGVK = GroupVersion.WithKind("BigtableAuthorizedView")
+
+type BigtableAuthorizedViewParent struct {
+	// +required
+	ProjectRef *refv1beta1.ProjectRef `json:"projectRef"`
+
+	// +required
+	InstanceRef bigtablev1beta1.InstanceRef `json:"instanceRef"`
+
+	// +required
+	TableRef bigtablev1beta1.TableRef `json:"tableRef"`
+}
+
+// BigtableAuthorizedViewSpec defines the desired state of BigtableAuthorizedView
+// +kcc:proto=google.bigtable.admin.v2.AuthorizedView
+type BigtableAuthorizedViewSpec struct {
+	// The BigtableAuthorizedView name. If not given, the metadata.name will be used.
+	ResourceID *string `json:"resourceID,omitempty"`
+
+	// +required
+	BigtableAuthorizedViewParent `json:",inline"`
+
+	// An AuthorizedView permitting access to an explicit subset of a Table.
+	// +kcc:proto:field=google.bigtable.admin.v2.AuthorizedView.subset_view
+	SubsetView *AuthorizedView_SubsetView `json:"subsetView,omitempty"`
+
+	// The etag for this AuthorizedView.
+	//  If this is provided on update, it must match the server's etag. The server
+	//  returns ABORTED error on a mismatched etag.
+	// +kcc:proto:field=google.bigtable.admin.v2.AuthorizedView.etag
+	Etag *string `json:"etag,omitempty"`
+
+	// Set to true to make the AuthorizedView protected against deletion.
+	//  The parent Table and containing Instance cannot be deleted if an
+	//  AuthorizedView has this bit set.
+	// +kcc:proto:field=google.bigtable.admin.v2.AuthorizedView.deletion_protection
+	DeletionProtection *bool `json:"deletionProtection,omitempty"`
+}
+
+// BigtableAuthorizedViewStatus defines the config connector machine state of BigtableAuthorizedView
+type BigtableAuthorizedViewStatus struct {
+	/* Conditions represent the latest available observations of the
+	   object's current state. */
+	Conditions []v1alpha1.Condition `json:"conditions,omitempty"`
+
+	// ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+
+	// A unique specifier for the BigtableAuthorizedView resource in GCP.
+	ExternalRef *string `json:"externalRef,omitempty"`
+
+	// ObservedState is the state of the resource as most recently observed in GCP.
+	ObservedState *BigtableAuthorizedViewObservedState `json:"observedState,omitempty"`
+}
+
+// BigtableAuthorizedViewObservedState is the state of the BigtableAuthorizedView resource as most recently observed in GCP.
+// +kcc:proto=google.bigtable.admin.v2.AuthorizedView
+type BigtableAuthorizedViewObservedState struct {
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:categories=gcp,shortName=gcpbigtableauthorizedview;gcpbigtableauthorizedviews
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="cnrm.cloud.google.com/managed-by-kcc=true";"cnrm.cloud.google.com/system=true"
+// +kubebuilder:printcolumn:name="Age",JSONPath=".metadata.creationTimestamp",type="date"
+// +kubebuilder:printcolumn:name="Ready",JSONPath=".status.conditions[?(@.type=='Ready')].status",type="string",description="When 'True', the most recent reconcile of the resource succeeded"
+// +kubebuilder:printcolumn:name="Status",JSONPath=".status.conditions[?(@.type=='Ready')].reason",type="string",description="The reason for the value in 'Ready'"
+// +kubebuilder:printcolumn:name="Status Age",JSONPath=".status.conditions[?(@.type=='Ready')].lastTransitionTime",type="date",description="The last transition time for the value in 'Status'"
+
+// BigtableAuthorizedView is the Schema for the BigtableAuthorizedView API
+// +k8s:openapi-gen=true
+type BigtableAuthorizedView struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// +required
+	Spec   BigtableAuthorizedViewSpec   `json:"spec,omitempty"`
+	Status BigtableAuthorizedViewStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// BigtableAuthorizedViewList contains a list of BigtableAuthorizedView
+type BigtableAuthorizedViewList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BigtableAuthorizedView `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&BigtableAuthorizedView{}, &BigtableAuthorizedViewList{})
+}

apis/bigtable/v1alpha1/cluster_types.go

@@ -25,7 +25,7 @@ import (
 
 var BigtableClusterGVK = GroupVersion.WithKind("BigtableCluster")
 
-type Parent struct {
+type BigtableClusterParent struct {
 	// +required
 	ProjectRef *refv1beta1.ProjectRef `json:"projectRef"`
 	// +required
@@ -35,7 +35,7 @@ type Parent struct {
 // BigtableClusterSpec defines the desired state of BigtableCluster
 // +kcc:proto=google.bigtable.admin.v2.Cluster
 type BigtableClusterSpec struct {
-	Parent `json:",inline"`
+	BigtableClusterParent `json:",inline"`
 
 	// The BigtableCluster name. If not given, the metadata.name will be used.
 	ResourceID *string `json:"resourceID,omitempty"`