feat(*): add traffic access v1alpha3 api

- update traffic access struct to make rule and source
required as per servicemeshinterface/smi-spec#192

Signed-off-by: Michelle Noorali <[email protected]>

Author: Michelle Noorali

.gitignore

@@ -15,3 +15,5 @@ vendor
 Gopkg.lock
 
 .vscode
+
+.DS_Store

hack/update-codegen.sh

@@ -64,7 +64,7 @@ generate_client "split" "v1alpha1,v1alpha2,v1alpha3"
 
 echo ""
 echo "##### Generating access client ######"
-generate_client "access" "v1alpha1,v1alpha2"
+generate_client "access" "v1alpha1,v1alpha2,v1alpha3"
 
 echo ""
 echo "##### Generating metrics client ######"

pkg/apis/access/v1alpha3/doc.go

@@ -0,0 +1,4 @@
+// +k8s:deepcopy-gen=package
+// +groupName=access.smi-spec.io
+
+package v1alpha3

pkg/apis/access/v1alpha3/register.go

@@ -0,0 +1,48 @@
+package v1alpha3
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	ts "github.com/servicemeshinterface/smi-sdk-go/pkg/apis/access"
+)
+
+// SchemeGroupVersion is the identifier for the API which includes
+// the name of the group and the version of the API
+var SchemeGroupVersion = schema.GroupVersion{
+	Group:   ts.GroupName,
+	Version: "v1alpha3",
+}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// SchemeBuilder collects functions that add things to a scheme. It's to allow
+	// code to compile without explicitly referencing generated types. You should
+	// declare one in each package that will have generated deep copy or conversion
+	// functions.
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+
+	// AddToScheme applies all the stored functions to the scheme. A non-nil error
+	// indicates that one function failed and the attempt was abandoned.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TrafficTarget{},
+		&TrafficTargetList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

pkg/apis/access/v1alpha3/traffic_target.go

@@ -0,0 +1,78 @@
+package v1alpha3
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:noStatus
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TrafficTarget associates a set of traffic definitions (rules) with a service identity which is allocated to a group of pods.
+// Access is controlled via referenced TrafficSpecs and by a list of source service identities.
+// * If a pod which holds the referenced service identity makes a call to the destination on one of the defined routes then access
+//   will be allowed
+// * Any pod which attempts to connect and is not in the defined list of sources will be denied
+// * Any pod which is in the defined list, but attempts to connect on a route which is not in the list of the
+//   TrafficSpecs will be denied
+type TrafficTarget struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec TrafficTargetSpec `json:"spec"`
+}
+
+// TrafficTargetSpec is the specification of a TrafficTarget
+type TrafficTargetSpec struct {
+	// Selector is the pod or group of pods to allow ingress traffic
+	Destination IdentityBindingSubject `json:"destination"`
+
+	// Sources are the pod or group of pods to allow ingress traffic
+	Sources []IdentityBindingSubject `json:"sources,omitempty"`
+
+	// Rules are the traffic rules to allow (HTTPRoutes | TCPRoute)
+	Rules []TrafficTargetRule `json:"rules,omitempty"`
+}
+
+// TrafficTargetRule is the TrafficSpec to allow for a TrafficTarget
+type TrafficTargetRule struct {
+	// Kind is the kind of TrafficSpec to allow
+	Kind string `json:"kind"`
+
+	// Name of the TrafficSpec to use
+	Name string `json:"name"`
+
+	// Matches is a list of TrafficSpec routes to allow traffic for
+	// +optional
+	Matches []string `json:"matches,omitempty"`
+}
+
+// IdentityBindingSubject is a Kubernetes objects which should be allowed access to the TrafficTarget
+type IdentityBindingSubject struct {
+	// Kind is the type of Subject to allow ingress (ServiceAccount | Group)
+	Kind string `json:"kind"`
+
+	// Name of the Subject, i.e. ServiceAccountName
+	Name string `json:"name"`
+
+	// Namespace where the Subject is deployed
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Port defines a TCP port to apply the TrafficTarget to
+	// +optional
+	Port *int `json:"port,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+//
+// TrafficTargetList satisfy K8s code gen requirements
+type TrafficTargetList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []TrafficTarget `json:"items"`
+}