Implement SaaS-Based Approval Workflow for ClientIntents #569
Conversation
…nto evya/approved_intents_crd
…raphQL mutations and queries for applied intents requests
| } | ||
|
|
||
| // ApprovedIntentsReconciler reconciles a Intents object | ||
| type ApprovedIntentsReconciler struct { |
There was a problem hiding this comment.
This is essentially what was referred to as the Intents Reconciler
| @@ -115,21 +86,39 @@ func NewIntentsReconciler( | |||
| //+kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;update;create;patch | |||
| // +kubebuilder:rbac:groups=iam.cnrm.cloud.google.com,resources=iampartialpolicies,verbs=get;list;watch;create;update;patch;delete | |||
|
|
|||
| // Reconcile is part of the main kubernetes reconciliation loop which aims to | |||
| // move the current state of the cluster closer to the desired state. | |||
| // Reconcile - main reconciliation loop | |||
There was a problem hiding this comment.
Explanation about how the "clientIntents to ApprovedClientIntents" lifecycle works
omris94
changed the title
clientIntentsclientIntents
…r upToDates with their corresponding ClientIntents
…lientIntents for every clientIntents while the operator will wait for the migration to end.
1. When first reconciled - add finalizer 2. When deleted - trigger approvedClientIntent deletion a. If does not exist - remove finalizer b. If exists - delete approvedClientIntent and return 3. When approvedClientIntents is deleted - remove finalizer from clientIntents before removing its own
omris94
changed the title
clientIntents
| @@ -66,6 +66,9 @@ const ( | |||
| SeparateNetpolsForIngressAndEgress = "separate-netpols-for-ingress-and-egress" | |||
| SeparateNetpolsForIngressAndEgressDefault = false | |||
| ExternallyManagedPolicyWorkloadsKey = "externallyManagedPolicyWorkloads" | |||
|
|
|||
| EnableIntentsCloudApproval = "enable-intents-cloud-approval" | |||
| EnableIntentsCloudApprovalDefault = true | |||
There was a problem hiding this comment.
Change before merge
| //+kubebuilder:object:root=true | ||
| //+kubebuilder:subresource:status | ||
|
|
||
| // ApprovedClientIntents is the Schema for the intents API |
| ObservedGeneration int64 `json:"observedGeneration"` | ||
| // ResolvedIPs stores resolved IPs for a domain name - the network mapper populates it when DNS internetTarget is used | ||
| // +optional | ||
| ResolvedIPs []ResolvedIPs `json:"resolvedIPs,omitempty" yaml:"resolvedIPs,omitempty"` |
There was a problem hiding this comment.
Don't forget to open a PR to update the mapper with this change + release them together
| @@ -365,14 +374,21 @@ type AzureKeyVaultPolicy struct { | |||
| type IntentsStatus struct { | |||
| // upToDate field reflects whether the client intents have successfully been applied | |||
| // to the cluster to the state specified | |||
| // Deprecated: Use ApprovedClientIntents.Status.UpToDate instead | |||
| @@ -365,14 +374,21 @@ type AzureKeyVaultPolicy struct { | |||
| type IntentsStatus struct { | |||
There was a problem hiding this comment.
Consider renaming to ClientIntentsStatus (the name IntentsStatus is even more confusing, now that we have "ClientIntents" and "ApprovedClientIntents" and "ApprovedClientIntentsStatus"
| //+kubebuilder:rbac:groups=k8s.otterize.com,resources=postgresqlserverconfigs,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups=k8s.otterize.com,resources=mysqlserverconfigs,verbs=get;list;watch;create;update;patch;delete |
There was a problem hiding this comment.
Cleanup required RBAC permissions here
| Namespace: clientIntents.Namespace, | ||
| }, | ||
| func (r *IntentsReconciler) handleCloudAppliedIntentsRequests(ctx context.Context, intents otterizev2alpha1.ClientIntents) error { | ||
| if intents.Status.ReviewStatus == otterizev2alpha1.ReviewStatusApproved || !intents.DeletionTimestamp.IsZero() { |
There was a problem hiding this comment.
can we remove this "if"? The caller shouldn't call this function if this is the case (and as far as I can tell it really doesn't)
| // Will be handled elsewhere | ||
| return nil | ||
| } | ||
| if intents.Status.ReviewStatus == "" { |
There was a problem hiding this comment.
shouldn't this already be handled by the main flow? I'd expect the main flow to ensure the status is set.
| return res | ||
| }) | ||
| if err != nil { | ||
| func (r *IntentsReconciler) queryAppliedIntentsRequestsStatus(ctx context.Context) error { |
There was a problem hiding this comment.
queryAppliedIntentsRequestsStatus sounds like it's just querying (readonly), but really it also queries the cloud and updates the request status. The name should be more indicative.
| if address.TargetRef == nil || address.TargetRef.Kind != "Pod" { | ||
| continue | ||
| } | ||
| func (r *IntentsReconciler) handleRequestStatusChanges(ctx context.Context, request operator_cloud_client.AppliedIntentsRequestStatus, clientIntents otterizev2alpha1.ClientIntents) error { |
There was a problem hiding this comment.
Maybe handleRequestStatusResponse? It didn't necessarily change
Description
This pull request introduces a SaaS-based approval workflow for
ClientIntentswithin the Otterize intents-operator. By default, there are no changes to the user API unless explicitly configured by the user.Key Changes
ApprovedClientIntents CRD:
A new Custom Resource Definition (CRD) named
ApprovedClientIntentshas been added. This CRD representsClientIntentsresources that have been approved, facilitating a controlled and auditable access management process.Refactoring of Intents Reconciliation:
The existing
IntentsReconcilerlogic has been refactored intoApprovedIntentsReconciler. All operations previously triggered by the reconciliation of intents now utilize the newApprovedClientIntentsCRD, ensuring that only approved intents are enforced.Introduction of Approval Flow Reconciler:
A new reconciler has been implemented to handle the approval flow. By default, the operator auto-approves any
ClientIntents. If configured to integrate with the cloud, it reports theClientIntentsas access requests to the cloud and awaits approval status. Once a request is approved, it triggers the creation of anApprovedClientIntentsresource.Testing
Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.
Also include details of the environment this PR was developed in (language/platform/browser version).
Checklist