Implement SaaS-Based Approval Workflow for ClientIntents

.gitattributes

@@ -2,4 +2,5 @@
 generated.go linguist-generated=true
 go.mod linguist-generated=true
 go.sum linguist-generated=true
-schema.graphql linguist-generated=true
+schema.graphql linguist-generated=true
+*.patched linguist-generated=true

src/operator/Makefile

@@ -17,6 +17,7 @@ IMG ?= $(IMAGE_TAG_BASE):operator-$(VERSION)
 
 LOCAL_IMAGE_TAG ?= 0.0.0
 OPERATOR_DEBUG_IMAGE ?= otterize/intents-operator:$(LOCAL_IMAGE_TAG)
+OPERATOR_WEBHOOK_DEBUG_IMAGE ?= otterize/intents-operator-webhook-server:$(LOCAL_IMAGE_TAG)
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.24.1
@@ -99,6 +100,7 @@ docker-build: test ## Build docker image with the manager.
 .PHONY: docker-build-local
 docker-build-local: test ## Build docker image with the manager.
 	docker build --build-arg="VERSION=$(LOCAL_IMAGE_TAG)" -t ${OPERATOR_DEBUG_IMAGE} -f ../intents-operator.Dockerfile ../
+	docker build --build-arg="VERSION=$(LOCAL_IMAGE_TAG)" -t ${OPERATOR_WEBHOOK_DEBUG_IMAGE} -f ../intents-operator-webhook-server.Dockerfile ../
 
 
 .PHONY: docker-push
@@ -109,6 +111,8 @@ docker-push: ## Push docker image with the manager.
 minikube-push: ## For MacOS users: Push locally built docker images directly into minikube VM since it doesn't access local docker registry directly.
 	minikube ssh "docker rmi -f $(OPERATOR_DEBUG_IMAGE)"
 	minikube image load ${OPERATOR_DEBUG_IMAGE}
+	minikube ssh "docker rmi -f $(OPERATOR_WEBHOOK_DEBUG_IMAGE)"
+	minikube image load ${OPERATOR_WEBHOOK_DEBUG_IMAGE}
 
 
 ##@ Deployment
@@ -138,6 +142,7 @@ deploy: manifests copy-manifests-to-helm helm-dependency
 deploy-local: manifests copy-manifests-to-helm helm-dependency ## Deploy images built locally into the cluster.
 	helm upgrade --install -n otterize-system --create-namespace otterize $(OTTERIZE_HELM_CHART_DIR) \
 	--set intentsOperator.operator.tag=$(LOCAL_IMAGE_TAG) \
+	--set intentsOperator.webhookServer.tag=$(LOCAL_IMAGE_TAG) \
 	--set intentsOperator.operator.pullPolicy=Never \
 	--set global.telemetry.enabled=false
 

src/operator/api/v2alpha1/approved_clientintents_types.go

@@ -0,0 +1,235 @@
+package v2alpha1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/otterize/intents-operator/src/shared/errors"
+	"github.com/otterize/intents-operator/src/shared/otterizecloud/graphqlclient"
+	"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
+	"github.com/samber/lo"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"strconv"
+)
+
+func init() {
+	SchemeBuilder.Register(&ApprovedClientIntents{}, &ApprovedClientIntentsList{})
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+type ApprovedClientIntents struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   *IntentsSpec                `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status ApprovedClientIntentsStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// ApprovedClientIntentsList contains a list of ApprovedClientIntents
+type ApprovedClientIntentsList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Items           []ApprovedClientIntents `json:"items" yaml:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ApprovedClientIntents{}, &ApprovedClientIntentsList{})
+}
+
+func (in *ApprovedClientIntentsList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+type ApprovedClientIntentsStatus struct {
+	// upToDate field reflects whether the client intents have successfully been applied
+	// to the cluster to the state specified
+	// +optional
+	UpToDate bool `json:"upToDate"`
+	// The last generation of the intents that was successfully reconciled.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration"`
+	// ResolvedIPs stores resolved IPs for a domain name - the network mapper populates it when DNS internetTarget is used
+	// +optional
+	ResolvedIPs []ResolvedIPs `json:"resolvedIPs,omitempty" yaml:"resolvedIPs,omitempty"`
+}
+
+func (in *ApprovedClientIntents) GetWorkloadName() string {
+	return in.Spec.Workload.Name
+}
+
+func (in *ApprovedClientIntents) GetTargetList() []Target {
+	return in.Spec.Targets
+}
+
+func (in *ApprovedClientIntents) GetFilteredTargetList(intentTypes ...IntentType) []Target {
+	return lo.Filter(in.GetTargetList(), func(item Target, index int) bool {
+		for _, intentType := range intentTypes {
+			if intentType == IntentTypeHTTP {
+				if item.Kubernetes != nil && len(item.Kubernetes.HTTP) > 0 {
+					return true
+				}
+				if item.Service != nil && len(item.Service.HTTP) > 0 {
+					return true
+				}
+			}
+			if intentType == IntentTypeKafka && item.Kafka != nil {
+				return true
+			}
+			if intentType == IntentTypeDatabase && item.SQL != nil {
+				return true
+			}
+			if intentType == IntentTypeAWS && item.AWS != nil {
+				return true
+			}
+			if intentType == IntentTypeGCP && item.GCP != nil {
+				return true
+			}
+			if intentType == IntentTypeAzure && item.Azure != nil {
+				return true
+			}
+			if intentType == IntentTypeInternet && item.Internet != nil {
+				return true
+			}
+		}
+		return false
+	})
+}
+
+func (in *ApprovedClientIntents) GetClientKind() string {
+	if in.Spec.Workload.Kind == "" {
+		return serviceidentity.KindOtterizeLegacy
+	}
+	return in.Spec.Workload.Kind
+}
+
+func (in *ApprovedClientIntents) GetIntentsLabelMapping(requestNamespace string) map[string]string {
+	otterizeAccessLabels := make(map[string]string)
+
+	for _, intent := range in.GetTargetList() {
+		if intent.IsTargetOutOfCluster() {
+			continue
+		}
+		targetServiceIdentity := intent.ToServiceIdentity(requestNamespace)
+		labelKey := fmt.Sprintf(OtterizeAccessLabelKey, targetServiceIdentity.GetFormattedOtterizeIdentityWithKind())
+		if intent.IsTargetServerKubernetesService() {
+			labelKey = fmt.Sprintf(OtterizeSvcAccessLabelKey, targetServiceIdentity.GetFormattedOtterizeIdentityWithKind())
+		}
+		otterizeAccessLabels[labelKey] = "true"
+	}
+
+	return otterizeAccessLabels
+}
+
+func (in *ApprovedClientIntents) GetServersWithoutSidecar() (sets.Set[string], error) {
+	if in.Annotations == nil {
+		return sets.New[string](), nil
+	}
+
+	servers, ok := in.Annotations[OtterizeServersWithoutSidecarAnnotation]
+	if !ok {
+		return sets.New[string](), nil
+	}
+
+	serversList := make([]string, 0)
+	err := json.Unmarshal([]byte(servers), &serversList)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	return sets.New[string](serversList...), nil
+}
+
+func (in *ApprovedClientIntents) GetDatabaseIntents() []Target {
+	return in.GetFilteredTargetList(IntentTypeDatabase)
+}
+
+func (in *ApprovedClientIntents) FromClientIntents(intents ClientIntents) {
+	in.Name = intents.Name
+	in.Namespace = intents.GetNamespace()
+	in.Spec = intents.Spec
+}
+
+func (in *ApprovedClientIntentsList) FormatAsOtterizeIntents(ctx context.Context, k8sClient client.Client) ([]*graphqlclient.IntentInput, error) {
+	otterizeIntents := make([]*graphqlclient.IntentInput, 0)
+	for _, clientIntents := range in.Items {
+		for _, intent := range clientIntents.GetTargetList() {
+			clientServiceIdentity := clientIntents.ToServiceIdentity()
+			input, err := intent.ConvertToCloudFormat(ctx, k8sClient, clientServiceIdentity)
+			if err != nil {
+				return nil, errors.Wrap(err)
+			}
+			statusInput, ok, err := approvedClientIntentsStatusToCloudFormat(clientIntents, intent)
+			if err != nil {
+				return nil, errors.Wrap(err)
+			}
+
+			input.Status = nil
+			if ok {
+				input.Status = statusInput
+			}
+			otterizeIntents = append(otterizeIntents, lo.ToPtr(input))
+		}
+	}
+
+	return otterizeIntents, nil
+}
+
+func approvedClientIntentsStatusToCloudFormat(approvedClientIntents ApprovedClientIntents, intent Target) (*graphqlclient.IntentStatusInput, bool, error) {
+	status := graphqlclient.IntentStatusInput{
+		IstioStatus: &graphqlclient.IstioStatusInput{},
+	}
+
+	serviceAccountName, ok := approvedClientIntents.Annotations[OtterizeClientServiceAccountAnnotation]
+	if !ok {
+		// Status is not set, nothing to do
+		return nil, false, nil
+	}
+
+	status.IstioStatus.ServiceAccountName = toPtrOrNil(serviceAccountName)
+	isSharedValue, ok := approvedClientIntents.Annotations[OtterizeSharedServiceAccountAnnotation]
+	isShared := false
+	if ok {
+		parsedIsShared, err := strconv.ParseBool(isSharedValue)
+		if err != nil {
+			return nil, false, errors.Errorf("failed to parse shared service account annotation for approved client intents %s", approvedClientIntents.Name)
+		}
+		isShared = parsedIsShared
+	}
+	status.IstioStatus.IsServiceAccountShared = lo.ToPtr(isShared)
+
+	clientMissingSidecarValue, ok := approvedClientIntents.Annotations[OtterizeMissingSidecarAnnotation]
+	clientMissingSidecar := false
+	if ok {
+		parsedClientMissingSidecar, err := strconv.ParseBool(clientMissingSidecarValue)
+		if err != nil {
+			return nil, false, errors.Errorf("failed to parse missing sidecar annotation for approved client intents %s", approvedClientIntents.Name)
+		}
+		clientMissingSidecar = parsedClientMissingSidecar
+	}
+	status.IstioStatus.IsClientMissingSidecar = lo.ToPtr(clientMissingSidecar)
+
+	isServerMissingSidecar, err := approvedClientIntents.IsServerMissingSidecar(intent)
+	if err != nil {
+		return nil, false, errors.Wrap(err)
+	}
+	status.IstioStatus.IsServerMissingSidecar = lo.ToPtr(isServerMissingSidecar)
+	return &status, true, nil
+}
+
+func (in *ApprovedClientIntents) IsServerMissingSidecar(intent Target) (bool, error) {
+	serversSet, err := in.GetServersWithoutSidecar()
+	if err != nil {
+		return false, errors.Wrap(err)
+	}
+	identity := intent.ToServiceIdentity(in.Namespace)
+	serverIdentity := identity.GetFormattedOtterizeIdentityWithoutKind()
+	return serversSet.Has(serverIdentity), nil
+}