CLOUDP-78181: ip access list (part 3) (#92)

Author: Anton

config/crd/bases/atlas.mongodb.com_atlasprojects.yaml

@@ -118,6 +118,35 @@ spec:
                   - type
                   type: object
                 type: array
+              expiredIpAccessList:
+                description: The list of IP Access List entries that are expired due
+                  to 'deleteAfterDate' being less than the current date. Note, that
+                  this field is updated by the Atlas Operator only after specification
+                  changes
+                items:
+                  description: TODO solve circular dependency (move ProjectIPAccessList
+                    to subpackage?) Copy of mdbv1.ProjectIPAccessList
+                  properties:
+                    awsSecurityGroup:
+                      description: Unique identifier of AWS security group in this
+                        access list entry.
+                      type: string
+                    cidrBlock:
+                      description: Range of IP addresses in CIDR notation in this
+                        access list entry.
+                      type: string
+                    comment:
+                      description: Comment associated with this access list entry.
+                      type: string
+                    deleteAfterDate:
+                      description: Timestamp in ISO 8601 date and time format in UTC
+                        after which Atlas deletes the temporary access list entry.
+                      type: string
+                    ipAddress:
+                      description: Entry using an IP address in this access list entry.
+                      type: string
+                  type: object
+                type: array
               id:
                 description: The ID of the Atlas Project
                 type: string

pkg/api/v1/status/atlasproject.go

@@ -10,6 +10,11 @@ func AtlasProjectIDOption(id string) AtlasProjectStatusOption {
 		s.ID = id
 	}
 }
+func AtlasProjectExpiredIPAccessOption(lists []ProjectIPAccessList) AtlasProjectStatusOption {
+	return func(s *AtlasProjectStatus) {
+		s.ExpiredIPAccessList = lists
+	}
+}
 
 // AtlasProjectStatus defines the observed state of AtlasProject
 type AtlasProjectStatus struct {
@@ -18,4 +23,29 @@ type AtlasProjectStatus struct {
 	// The ID of the Atlas Project
 	// +optional
 	ID string `json:"id,omitempty"`
+
+	// The list of IP Access List entries that are expired due to 'deleteAfterDate' being less than the current date.
+	// Note, that this field is updated by the Atlas Operator only after specification changes
+	ExpiredIPAccessList []ProjectIPAccessList `json:"expiredIpAccessList,omitempty"`
+}
+
+// TODO solve circular dependency (move ProjectIPAccessList to subpackage?)
+
+// ProjectIPAccessList is a copy of mdbv1.ProjectIPAccessList
+type ProjectIPAccessList struct {
+	// Unique identifier of AWS security group in this access list entry.
+	// +optional
+	AwsSecurityGroup string `json:"awsSecurityGroup,omitempty"`
+	// Range of IP addresses in CIDR notation in this access list entry.
+	// +optional
+	CIDRBlock string `json:"cidrBlock,omitempty"`
+	// Comment associated with this access list entry.
+	// +optional
+	Comment string `json:"comment,omitempty"`
+	// Timestamp in ISO 8601 date and time format in UTC after which Atlas deletes the temporary access list entry.
+	// +optional
+	DeleteAfterDate string `json:"deleteAfterDate,omitempty"`
+	// Entry using an IP address in this access list entry.
+	// +optional
+	IPAddress string `json:"ipAddress,omitempty"`
 }

pkg/api/v1/status/zz_generated.deepcopy.go

@@ -9,6 +9,7 @@ import (
 	"go.uber.org/zap"
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/status"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlas"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/set"
@@ -20,14 +21,23 @@ import (
 type atlasProjectIPAccessList mongodbatlas.ProjectIPAccessList
 
 func (i atlasProjectIPAccessList) Identifier() interface{} {
+	// hack: Atlas adds the CIDRBlock in case IPAddress is specified in the response.
+	// This doesn't conform to the "update" contract (one field per List) and doesn't allow to "merge" lists.
+	// So we ignore the CIDRblock in this case.
+	// Note, this used to have "&& strings.HasPrefix(i.CIDRBlock, i.IPAddress" check as well but according to the example:
+	// https://docs.atlas.mongodb.com/reference/api/ip-access-list/add-entries-to-access-list/#example-body the IP may
+	// be not a prefix of CIDR!
+	if i.CIDRBlock != "" && i.IPAddress != "" {
+		return i.AwsSecurityGroup + i.IPAddress
+	}
 	return i.CIDRBlock + i.AwsSecurityGroup + i.IPAddress
 }
 
 func (r *AtlasProjectReconciler) ensureIPAccessList(ctx *workflow.Context, connection atlas.Connection, projectID string, project *mdbv1.AtlasProject) workflow.Result {
 	if err := validateIPAccessLists(project.Spec.ProjectIPAccessList); err != nil {
 		return workflow.Terminate(workflow.ProjectIPAccessInvalid, err.Error())
 	}
-	active, _ := filterActiveIPAccessLists(project.Spec.ProjectIPAccessList)
+	active, expired := filterActiveIPAccessLists(project.Spec.ProjectIPAccessList)
 
 	client, err := atlas.Client(r.AtlasDomain, connection, ctx.Log)
 	if err != nil {
@@ -36,7 +46,12 @@ func (r *AtlasProjectReconciler) ensureIPAccessList(ctx *workflow.Context, conne
 	if result := createOrDeleteInAtlas(client, projectID, active, ctx.Log); !result.IsOk() {
 		return result
 	}
-	// TODO update status - add the expired project IP access list there
+	// TODO remove after the circular dependency is solved
+	expiredCopy := make([]status.ProjectIPAccessList, len(expired))
+	for i, list := range expired {
+		expiredCopy[i] = status.ProjectIPAccessList(list)
+	}
+	ctx.EnsureStatusOption(status.AtlasProjectExpiredIPAccessOption(expiredCopy))
 	return workflow.OK()
 }
 

pkg/controller/atlasproject/ipaccess_list.go

@@ -34,6 +34,7 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	ctrzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -92,14 +93,23 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	fmt.Printf("Api Server is listening on %s\n", cfg.Host)
 	return []byte(cfg.Host)
 }, func(data []byte) {
-	// This is the host that was serialized on the 1st node by the function above.
-	host := string(data)
-	// copied from Environment.Start()
-	cfg = &rest.Config{
-		Host: host,
-		// gotta go fast during tests -- we don't really care about overwhelming our test API server
-		QPS:   1000.0,
-		Burst: 2000.0,
+	if os.Getenv("USE_EXISTING_CLUSTER") != "" {
+		var err error
+		// For the existing cluster we read the kubeconfig
+		cfg, err = config.GetConfig()
+		if err != nil {
+			panic("Failed to read the config for existing cluster")
+		}
+	} else {
+		// This is the host that was serialized on the 1st node by the function above.
+		host := string(data)
+		// copied from Environment.Start()
+		cfg = &rest.Config{
+			Host: host,
+			// gotta go fast during tests -- we don't really care about overwhelming our test API server
+			QPS:   1000.0,
+			Burst: 2000.0,
+		}
 	}
 
 	err := mdbv1.AddToScheme(scheme.Scheme)