Skip to content

Commit

Permalink
Merge pull request GoogleCloudPlatform#1281 from gemmahou/325512479
Browse files Browse the repository at this point in the history 
Promote AccessContextManagerServicePerimeterResource v1alpha1 to v1beta1
  • Loading branch information
@google-oss-prow
google-oss-prow[bot] authored Mar 8, 2024
2 parents c886951 + b6f9bf4 commit 6fc7b45
Show file tree
Hide file tree
Showing 29 changed files with 819 additions and 207 deletions.
185 changes: 175 additions & 10 deletions ...sscontextmanagerserviceperimeterresources.accesscontextmanager.cnrm.cloud.google.com.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
creationTimestamp: null
labels:
cnrm.cloud.google.com/managed-by-kcc: "true"
cnrm.cloud.google.com/stability-level: alpha
cnrm.cloud.google.com/stability-level: stable
cnrm.cloud.google.com/system: "true"
cnrm.cloud.google.com/tf2crd: "true"
name: accesscontextmanagerserviceperimeterresources.accesscontextmanager.cnrm.cloud.google.com
Expand All @@ -24,6 +24,146 @@ spec:
preserveUnknownFields: false
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: When 'True', the most recent reconcile of the resource succeeded
jsonPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- description: The reason for the value in 'Ready'
jsonPath: .status.conditions[?(@.type=='Ready')].reason
name: Status
type: string
- description: The last transition time for the value in 'Status'
jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
name: Status Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'apiVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
perimeterNameRef:
description: "Only the `external` field is supported to configure
the reference.\n\nThe name of the Service Perimeter to add this
resource to. \nReferencing a resource name leads to recursive reference
and KCC does not support the feature for now."
oneOf:
- not:
required:
- external
required:
- name
- not:
anyOf:
- required:
- name
- required:
- namespace
required:
- external
properties:
external:
description: 'Allowed value: The `name` field of an `AccessContextManagerServicePerimeter`
resource.'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
resourceRef:
description: A GCP resource that is inside of the service perimeter.
oneOf:
- not:
required:
- external
required:
- name
- not:
anyOf:
- required:
- name
- required:
- namespace
required:
- external
properties:
external:
description: 'Allowed value: string of the format `projects/{{value}}`,
where {{value}} is the `number` field of a `Project` resource.'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
required:
- perimeterNameRef
- resourceRef
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observation
of the resource's current state.
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition. Can be True,
False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
description: ObservedGeneration is the generation of the resource
that was most recently observed by the Config Connector controller.
If this is equal to metadata.generation, then that means that the
current reported status reflects the most recent desired state of
the resource.
type: integer
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
Expand Down Expand Up @@ -59,6 +199,10 @@ spec:
spec:
properties:
perimeterNameRef:
description: "Only the `external` field is supported to configure
the reference.\n\nThe name of the Service Perimeter to add this
resource to. \nReferencing a resource name leads to recursive reference
and KCC does not support the feature for now."
oneOf:
- not:
required:
Expand All @@ -75,8 +219,7 @@ spec:
- external
properties:
external:
description: 'Allowed value: string of the format `{{parent}}/servicePerimeters/{{value}}`,
where {{value}} is the `name` field of an `AccessContextManagerServicePerimeter`
description: 'Allowed value: The `name` field of an `AccessContextManagerServicePerimeter`
resource.'
type: string
name:
Expand All @@ -86,15 +229,37 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
resource:
description: |-
Immutable. A GCP resource that is inside of the service perimeter.
Currently only projects are allowed.
Format: projects/{project_number}.
type: string
resourceRef:
description: A GCP resource that is inside of the service perimeter.
oneOf:
- not:
required:
- external
required:
- name
- not:
anyOf:
- required:
- name
- required:
- namespace
required:
- external
properties:
external:
description: 'Allowed value: string of the format `projects/{{value}}`,
where {{value}} is the `number` field of a `Project` resource.'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
required:
- perimeterNameRef
- resource
- resourceRef
type: object
status:
properties:
Expand Down
2 changes: 1 addition & 1 deletion ...erserviceperimeter/accesscontextmanager_v1beta1_accesscontextmanagerserviceperimeter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ spec:
# Config for DRY-RUN
# To use this 'useExplicitDryRunSpec' must be set to 'true'
# Replace "${ACCESS_POLICY_NUMBER}" with the numeric ID for your Access Policy
# Replace "${PROJECT_NUMBERx}" with the appropriate `project number` for the project to be protected by the perimeter
# Replace "${PROJECT_NUMBER}" with the appropriate `project number` for the project to be protected by the perimeter
spec:
# List of Access Levels to be applied for this perimeter
accessLevels:
Expand Down
28 changes: 28 additions & 0 deletions ...erresource/accesscontextmanager_v1beta1_accesscontextmanagerserviceperimeterresource.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1
kind: AccessContextManagerServicePerimeterResource
metadata:
name: accesscontextmanagerserviceperimeterresource-sample
spec:
perimeterNameRef:
# Referencing a resource name leads to recursive reference and KCC does not support the feature for now.
# Please use external reference instead.
# Replace "${ACCESS_POLICY_NUMBER}" with the numeric ID for your Access Policy
# Replace "${PERIMETER_SHORT_NAME}" with the name for the Service Perimeter to add this resource to
external: "accessPolicies/${ACCESS_POLICY_NUMBER}/servicePerimeters/${PERIMETER_SHORT_NAME}"
resourceRef:
# Replace "${PROJECT_NUMBER}" with the `number` for the project to be protected by the perimeter
external: "projects/${PROJECT_NUMBER}"
31 changes: 31 additions & 0 deletions config/servicemappings/accesscontextmanager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,3 +356,34 @@ spec:
group: resourcemanager.cnrm.cloud.google.com
targetField: "number"
valueTemplate: "projects/{{value}}"
- name: google_access_context_manager_service_perimeter_resource
kind: AccessContextManagerServicePerimeterResource
idTemplate: "{{perimeter_name}}/{{resource}}"
idTemplateCanBeUsedToMatchResourceName: false
resourceAvailableInAssetInventory: false
v1alpha1ToV1beta1: true
storageVersion: v1alpha1
resourceReferences:
- key: resourceRef
tfField: resource
description: |-
A GCP resource that is inside of the service perimeter.
gvk:
kind: Project
version: v1beta1
group: resourcemanager.cnrm.cloud.google.com
targetField: number
valueTemplate: "projects/{{value}}"
- key: perimeterNameRef
tfField: perimeter_name
description: |-
Only the `external` field is supported to configure the reference.
The name of the Service Perimeter to add this resource to.
Referencing a resource name leads to recursive reference and KCC does not support the feature for now.
gvk:
kind: AccessContextManagerServicePerimeter
version: v1beta1
group: accesscontextmanager.cnrm.cloud.google.com
targetField: name
parent: true
7 changes: 4 additions & 3 deletions config/tests/samples/create/samples_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,9 +112,10 @@ var testDisabledList = map[string]bool{
// resources, so we shouldn't modify our existing one.
"accesscontextmanageraccesspolicy": true,
"accesscontextmanageraccesslevel": true,
// Behaviour of Service Perimeter is similar to access level and service policy.
// So disabling testing for Service Perimeter
"accesscontextmanagerserviceperimeter": true,
// Behaviour of Service Perimeter(Resource) is similar to access level and service policy.
// So disabling testing for Service Perimeter(Resource)
"accesscontextmanagerserviceperimeter": true,
"accesscontextmanagerserviceperimeterresource": true,
// Cloud Build Triggers for GitHub repos require the user to connect their
// GCP project to their GitHub repo first to work.
"build-trigger-for-github-repo": true,
Expand Down
6 changes: 0 additions & 6 deletions pkg/clients/generated/apis/accesscontextmanager/v1alpha1/register.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 6fc7b45

Please sign in to comment.