Add fields for ML Storage CRD (#1502)

* Add fields for ML Storage CRD - copy/move a few security-related constants into shared package
arangodb · Nov 23, 2023 · 331951a · 331951a
1 parent 8cdc6b9
commit 331951a
Show file tree

Hide file tree

Showing 12 changed files with 402 additions and 123 deletions.
diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md
diff --git a/docs/api/ArangoMLStorage.V1Alpha1.md b/docs/api/ArangoMLStorage.V1Alpha1.md
@@ -2,5 +2,71 @@
 
 ## Spec
 
+### .spec.listenPort
+
+Type: `integer` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_spec.go#L32)</sup>
+
+ListenPort defines on which port the sidecar container will be listening for connections
+
+Default Value: `9201`
+
+***
+
+### .spec.resources
+
+Type: `core.ResourceRequirements` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_spec.go#L37)</sup>
+
+Resources holds resource requests & limits for container running the S3 proxy
+
+Links:
+* [Documentation of core.ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core)
+
+***
+
+### .spec.s3.bucketName
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L39)</sup>
+
+BucketName specifies the name of the bucket
+Required
+
+***
+
+### .spec.s3.credentialsSecret
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L42)</sup>
+
+CredentialsSecretName specifies the name of the secret containing AccessKey and SecretKey for S3 API authorization
+Required
+
+***
+
+### .spec.s3.disableSSL
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L33)</sup>
+
+DisableSSL if set to true, no certificate checks will be performed for Endpoint
+
+Default Value: `false`
+
+***
+
+### .spec.s3.endpoint
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L30)</sup>
+
+Endpoint specifies the S3 API-compatible endpoint which implements storage
+Required
+
+***
+
+### .spec.s3.region
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L36)</sup>
+
+Region defines the availability zone name. If empty, defaults to 'us-east-1'
+
+Default Value: `""`
+
 ## Status
 
diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec.go b/pkg/apis/deployment/v1/server_group_security_context_spec.go
@@ -26,15 +26,10 @@ import (
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
+	"github.com/arangodb/kube-arangodb/pkg/apis/shared"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
 
-const (
-	defaultRunAsUser  = 1000
-	defaultRunAsGroup = 2000
-	defaultFSGroup    = 3000
-)
-
 // ServerGroupSpecSecurityContext contains specification for pod security context
 type ServerGroupSpecSecurityContext struct {
 	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
@@ -147,7 +142,7 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 
 		if psc.FSGroup == nil {
-			psc.FSGroup = util.NewType[int64](defaultFSGroup)
+			psc.FSGroup = util.NewType[int64](shared.DefaultFSGroup)
 		}
 	}
 
@@ -186,10 +181,10 @@ func (s *ServerGroupSpecSecurityContext) NewSecurityContext(secured ...bool) *co
 
 	if len(secured) > 0 && secured[0] {
 		if r.RunAsUser == nil {
-			r.RunAsUser = util.NewType[int64](defaultRunAsUser)
+			r.RunAsUser = util.NewType[int64](shared.DefaultRunAsUser)
 		}
 		if r.RunAsGroup == nil {
-			r.RunAsGroup = util.NewType[int64](defaultRunAsGroup)
+			r.RunAsGroup = util.NewType[int64](shared.DefaultRunAsGroup)
 		}
 		if r.RunAsNonRoot == nil {
 			r.RunAsNonRoot = util.NewType[bool](true)

diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go
@@ -29,6 +29,7 @@ import (
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
+	"github.com/arangodb/kube-arangodb/pkg/apis/shared"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
 
@@ -46,7 +47,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 			sc:      nil,
 			secured: true,
 			want: &core.PodSecurityContext{
-				FSGroup: util.NewType[int64](defaultFSGroup),
+				FSGroup: util.NewType[int64](shared.DefaultFSGroup),
 			},
 		},
 		"user secured pod security takes precedence": {
@@ -64,7 +65,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 			},
 			secured: true,
 			want: &core.PodSecurityContext{
-				FSGroup:            util.NewType[int64](defaultFSGroup),
+				FSGroup:            util.NewType[int64](shared.DefaultFSGroup),
 				SupplementalGroups: []int64{1},
 			},
 		},
@@ -168,9 +169,9 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 					Drop: []core.Capability{"ALL"},
 				},
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(true),
-				RunAsUser:              util.NewType[int64](defaultRunAsUser),
+				RunAsUser:              util.NewType[int64](shared.DefaultRunAsUser),
 			},
 		},
 		"user unsecured context security": {
@@ -195,7 +196,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 					Drop: []core.Capability{"ALL"},
 				},
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(true),
 				RunAsUser:              util.NewType[int64](3001),
 			},
@@ -219,7 +220,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 				},
 				Privileged:             util.NewType(false),
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(false),
 				RunAsUser:              util.NewType[int64](3001),
 			},

diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go
@@ -26,15 +26,10 @@ import (
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
+	"github.com/arangodb/kube-arangodb/pkg/apis/shared"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
 
-const (
-	defaultRunAsUser  = 1000
-	defaultRunAsGroup = 2000
-	defaultFSGroup    = 3000
-)
-
 // ServerGroupSpecSecurityContext contains specification for pod security context
 type ServerGroupSpecSecurityContext struct {
 	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
@@ -147,7 +142,7 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 
 		if psc.FSGroup == nil {
-			psc.FSGroup = util.NewType[int64](defaultFSGroup)
+			psc.FSGroup = util.NewType[int64](shared.DefaultFSGroup)
 		}
 	}
 
@@ -186,10 +181,10 @@ func (s *ServerGroupSpecSecurityContext) NewSecurityContext(secured ...bool) *co
 
 	if len(secured) > 0 && secured[0] {
 		if r.RunAsUser == nil {
-			r.RunAsUser = util.NewType[int64](defaultRunAsUser)
+			r.RunAsUser = util.NewType[int64](shared.DefaultRunAsUser)
 		}
 		if r.RunAsGroup == nil {
-			r.RunAsGroup = util.NewType[int64](defaultRunAsGroup)
+			r.RunAsGroup = util.NewType[int64](shared.DefaultRunAsGroup)
 		}
 		if r.RunAsNonRoot == nil {
 			r.RunAsNonRoot = util.NewType[bool](true)

diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go
@@ -29,6 +29,7 @@ import (
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
+	"github.com/arangodb/kube-arangodb/pkg/apis/shared"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
 
@@ -46,7 +47,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 			sc:      nil,
 			secured: true,
 			want: &core.PodSecurityContext{
-				FSGroup: util.NewType[int64](defaultFSGroup),
+				FSGroup: util.NewType[int64](shared.DefaultFSGroup),
 			},
 		},
 		"user secured pod security takes precedence": {
@@ -64,7 +65,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 			},
 			secured: true,
 			want: &core.PodSecurityContext{
-				FSGroup:            util.NewType[int64](defaultFSGroup),
+				FSGroup:            util.NewType[int64](shared.DefaultFSGroup),
 				SupplementalGroups: []int64{1},
 			},
 		},
@@ -168,9 +169,9 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 					Drop: []core.Capability{"ALL"},
 				},
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(true),
-				RunAsUser:              util.NewType[int64](defaultRunAsUser),
+				RunAsUser:              util.NewType[int64](shared.DefaultRunAsUser),
 			},
 		},
 		"user unsecured context security": {
@@ -195,7 +196,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 					Drop: []core.Capability{"ALL"},
 				},
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(true),
 				RunAsUser:              util.NewType[int64](3001),
 			},
@@ -219,7 +220,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 				},
 				Privileged:             util.NewType(false),
 				ReadOnlyRootFilesystem: util.NewType(true),
-				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
 				RunAsNonRoot:           util.NewType(false),
 				RunAsUser:              util.NewType[int64](3001),
 			},

diff --git a/pkg/apis/ml/v1alpha1/storage_s3_spec.go b/pkg/apis/ml/v1alpha1/storage_s3_spec.go
@@ -0,0 +1,58 @@
+//
+// DISCLAIMER
+//
+// Copyright 2023 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1alpha1
+
+import (
+	"github.com/pkg/errors"
+)
+
+type ArangoMLStorageS3Spec struct {
+	// Endpoint specifies the S3 API-compatible endpoint which implements storage
+	// Required
+	Endpoint string `json:"endpoint"`
+	// DisableSSL if set to true, no certificate checks will be performed for Endpoint
+	// +doc/default: false
+	DisableSSL bool `json:"disableSSL,omitempty"`
+	// Region defines the availability zone name. If empty, defaults to 'us-east-1'
+	// +doc/default: ""
+	Region string `json:"region,omitempty"`
+	// BucketName specifies the name of the bucket
+	// Required
+	BucketName string `json:"bucketName"`
+	// CredentialsSecretName specifies the name of the secret containing AccessKey and SecretKey for S3 API authorization
+	// Required
+	CredentialsSecretName string `json:"credentialsSecret"`
+}
+
+func (s *ArangoMLStorageS3Spec) Validate() error {
+	if s.BucketName == "" {
+		return errors.New("S3 BucketName must be not empty")
+	}
+
+	if s.Endpoint == "" {
+		return errors.New("S3 Endpoint must be not empty")
+	}
+
+	if s.CredentialsSecretName == "" {
+		return errors.New("S3 CredentialsSecretName must be not empty")
+	}
+	return nil
+}
diff --git a/pkg/apis/ml/v1alpha1/storage_spec.go b/pkg/apis/ml/v1alpha1/storage_spec.go
@@ -20,5 +20,48 @@
 
 package v1alpha1
 
+import (
+	"github.com/pkg/errors"
+	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
 type ArangoMLStorageSpec struct {
+	// ListenPort defines on which port the sidecar container will be listening for connections
+	// +doc/default: 9201
+	ListenPort *uint16 `json:"listenPort,omitempty"`
+
+	// Resources holds resource requests & limits for container running the S3 proxy
+	// +doc/type: core.ResourceRequirements
+	// +doc/link: Documentation of core.ResourceRequirements|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core
+	Resources core.ResourceRequirements `json:"resources,omitempty"`
+
+	S3 *ArangoMLStorageS3Spec `json:"s3,omitempty"`
+}
+
+func (s *ArangoMLStorageSpec) Validate() error {
+	if s.S3 == nil {
+		return errors.New("Currently only s3 storage type is supported")
+	}
+
+	return s.S3.Validate()
+}
+
+// SetDefaults fills in missing defaults
+func (s *ArangoMLStorageSpec) SetDefaults() {
+	if s == nil {
+		return
+	}
+
+	resources := s.Resources
+	if len(resources.Requests) == 0 {
+		resources.Requests = make(core.ResourceList)
+		resources.Requests[core.ResourceCPU] = resource.MustParse("100m")
+		resources.Requests[core.ResourceMemory] = resource.MustParse("100m")
+	}
+	if len(resources.Limits) == 0 {
+		resources.Limits = make(core.ResourceList)
+		resources.Limits[core.ResourceCPU] = resource.MustParse("250m")
+		resources.Limits[core.ResourceMemory] = resource.MustParse("250m")
+	}
 }