Skip to content

Commit

Permalink
Merge pull request #3187 from nb-goog/keyhandle-update
Browse files Browse the repository at this point in the history
Keyhandle allow user to configure keyhandle ID
  • Loading branch information
google-oss-prow[bot] authored Nov 20, 2024
2 parents ca3d8bb + c648ccd commit 031f0e8
Show file tree
Hide file tree
Showing 8 changed files with 81 additions and 25 deletions.
30 changes: 17 additions & 13 deletions apis/kms/v1alpha1/keyhandle_reference.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (

refsv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/k8s"
"github.com/google/uuid"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/types"
Expand Down Expand Up @@ -103,22 +102,18 @@ func NewKMSKeyHandleRef(ctx context.Context, reader client.Reader, obj *KMSKeyHa
id.parent = &KMSKeyHandleParent{ProjectID: projectID, Location: location}

// Get desired ID
desiredHandleId := valueOf(obj.Spec.ResourceID)
if desiredHandleId != "" {
if _, err := uuid.Parse(desiredHandleId); err != nil {
return nil, fmt.Errorf("spec.resourceID should be in a UUID format, got %s ", desiredHandleId)
}
}
desiredHandleID := valueOf(obj.Spec.ResourceID)

// At this point we are expecting desiredHandleID to be either empty or valid uuid
// 1. if desiredHandleID empty:
// id.external will be projects/<pid>/locations/<loc>/keyHandles/. i.e without resourceID.
// A call will be made to find() with invalid externalID which will return false.
// 2. if desiredHandleID is a valid UUID: id.external will be valid.

// Use approved External
externalRef := valueOf(obj.Status.ExternalRef)
if externalRef != "" {
actualParent, actualHandleId, err := ParseKMSKeyHandleExternal(externalRef)
actualParent, actualHandleID, err := ParseKMSKeyHandleExternal(externalRef)
if err != nil {
return nil, err
}
Expand All @@ -129,20 +124,29 @@ func NewKMSKeyHandleRef(ctx context.Context, reader client.Reader, obj *KMSKeyHa
if actualParent.Location != location {
return nil, fmt.Errorf("spec.location changed, expect %s, got %s", actualParent.Location, location)
}
if desiredHandleId != "" && (actualHandleId != desiredHandleId) {
if desiredHandleID != "" && (actualHandleID != desiredHandleID) {
return nil, fmt.Errorf("cannot reset `spec.resourceID` to %s, since it has already assigned to %s",
desiredHandleId, actualHandleId)
desiredHandleID, actualHandleID)
}
id.External = externalRef
return id, nil
}
id.parent = &KMSKeyHandleParent{ProjectID: projectID, Location: location}
if desiredHandleId != "" {
id.External = id.parent.String() + "/keyHandles/" + desiredHandleId
}
id.External = id.parent.String() + "/keyHandles/" + desiredHandleID
return id, nil
}

func (r *KMSKeyHandleRef) KeyHandleID() (string, bool, error) {
if r.External != "" {
_, id, err := ParseKMSKeyHandleExternal(r.External)
if err != nil {
return "", false, err
}
return id, id != "", nil
}
return "", false, fmt.Errorf("KMSKeyHandleRef not normalized to External form or not created from `New()`")
}

func (r *KMSKeyHandleRef) Parent() (*KMSKeyHandleParent, error) {
if r.parent != nil {
return r.parent, nil
Expand Down
4 changes: 3 additions & 1 deletion apis/kms/v1alpha1/keyhandle_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ var KMSKeyHandleGVK = GroupVersion.WithKind("KMSKeyHandle")
type KMSKeyHandleSpec struct {
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ResourceID field is immutable"
// Immutable.
// The KMSKeyHandle name. If not given, the metadata.name will be used.
// The KMS Key Handle ID used for resource creation or acquisition.
// For creation: If specified, this value is used as the key handle ID. If not provided, a UUID will be generated and assigned as the key handle ID.
// For acquisition: This field must be provided to identify the key handle resource to acquire.
ResourceID *string `json:"resourceID,omitempty"`

// Project hosting KMSKeyHandle
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,8 +95,11 @@ spec:
type: string
type: object
resourceID:
description: Immutable. The KMSKeyHandle name. If not given, the metadata.name
will be used.
description: 'Immutable. The KMS Key Handle ID used for resource creation
or acquisition. For creation: If specified, this value is used as
the key handle ID. If not provided, a UUID will be generated and
assigned as the key handle ID. For acquisition: This field must
be provided to identify the key handle resource to acquire.'
type: string
x-kubernetes-validations:
- message: ResourceID field is immutable
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 13 additions & 2 deletions pkg/controller/direct/kms/keyhandle/keyhandle_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,11 @@ var _ directbase.Adapter = &Adapter{}
func (a *Adapter) Find(ctx context.Context) (bool, error) {
log := klog.FromContext(ctx).WithName(ctrlName)
log.V(2).Info("getting KeyHandle", "name", a.id.External)
if a.id.External == "" {
// cannot retrieve the key handle without ServiceGeneratedID, expecting to create a new connection
_, idIsSet, err := a.id.KeyHandleID()
if err != nil {
return false, err
}
if !idIsSet {
return false, nil
}
req := &kmspb.GetKeyHandleRequest{Name: a.id.External}
Expand Down Expand Up @@ -138,10 +141,18 @@ func (a *Adapter) Create(ctx context.Context, createOp *directbase.CreateOperati
if err != nil {
return err
}
id, idIsSet, err := a.id.KeyHandleID()
if err != nil {
return err
}

req := &kmspb.CreateKeyHandleRequest{
Parent: parent.String(),
KeyHandle: resource,
}
if idIsSet {
req.KeyHandleId = id
}
op, err := a.gcpClient.CreateKeyHandle(ctx, req)
if err != nil {
return fmt.Errorf("creating KeyHandle %s: %w", a.id.External, err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ spec:
location: us-central1
projectRef:
external: projects/${uniqueId}
resourceID: 5a4fa10e-995d-4ee0-a426-a220aa390320
resourceTypeSelector: compute.googleapis.com/Disk
status:
conditions:
Expand All @@ -21,6 +22,6 @@ status:
reason: UpToDate
status: "True"
type: Ready
externalRef: projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d
externalRef: projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320
observedGeneration: 1
observedState: {}
Original file line number Diff line number Diff line change
@@ -1,9 +1,43 @@
POST https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles?%24alt=json%3Benum-encoding%3Dint
GET https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320?%24alt=json%3Benum-encoding%3Dint
Content-Type: application/json
User-Agent: kcc/controller-manager
x-goog-request-params: name=projects%2F${uniqueId}%2Flocations%2Fus-central1%2FkeyHandles%2F5a4fa10e-995d-4ee0-a426-a220aa390320

404 Not Found
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
"error": {
"code": 404,
"errors": [
{
"domain": "global",
"message": "keyHandle \"projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320\" not found",
"reason": "notFound"
}
],
"message": "keyHandle \"projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320\" not found",
"status": "NOT_FOUND"
}
}

---

POST https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles?%24alt=json%3Benum-encoding%3Dint&keyHandleId=5a4fa10e-995d-4ee0-a426-a220aa390320
Content-Type: application/json
User-Agent: kcc/controller-manager
x-goog-request-params: parent=projects%2F${uniqueId}%2Flocations%2Fus-central1

{
"name": "projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
"resourceTypeSelector": "compute.googleapis.com/Disk"
}

Expand Down Expand Up @@ -45,17 +79,17 @@ X-Xss-Protection: 0
"name": "projects/${uniqueId}/locations/us-central1/operations/${operationID}",
"response": {
"@type": "type.googleapis.com/google.cloud.kms.v1.KeyHandle",
"name": "projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d",
"name": "projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
"resourceTypeSelector": "compute.googleapis.com/Disk"
}
}

---

GET https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d?%24alt=json%3Benum-encoding%3Dint
GET https://cloudkms.googleapis.com/v1/projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320?%24alt=json%3Benum-encoding%3Dint
Content-Type: application/json
User-Agent: kcc/controller-manager
x-goog-request-params: name=projects%2F${uniqueId}%2Flocations%2Fus-central1%2FkeyHandles%2F5fe9854c-4a75-4ec9-8c27-c235754b981d
x-goog-request-params: name=projects%2F${uniqueId}%2Flocations%2Fus-central1%2FkeyHandles%2F5a4fa10e-995d-4ee0-a426-a220aa390320

200 OK
Cache-Control: private
Expand All @@ -69,6 +103,6 @@ X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
"name": "projects/${uniqueId}/locations/us-central1/keyHandles/5fe9854c-4a75-4ec9-8c27-c235754b981d",
"name": "projects/${uniqueId}/locations/us-central1/keyHandles/5a4fa10e-995d-4ee0-a426-a220aa390320",
"resourceTypeSelector": "compute.googleapis.com/Disk"
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ kind: KMSKeyHandle
metadata:
name: keyhandle-${uniqueId}
spec:
resourceID: 5a4fa10e-995d-4ee0-a426-a220aa390320
projectRef:
external: projects/${uniqueId}
location: us-central1
Expand Down

0 comments on commit 031f0e8

Please sign in to comment.