Add List/Relist Catalog Restrictions

charts/catalog/templates/controller-manager-deployment.yaml

@@ -78,6 +78,10 @@ spec:
         - --feature-gates
         - AsyncBindingOperations=true
         {{- end }}
+        {{- if .Values.catalogRestrictionsEnabled }}
+        - --feature-gates
+        - CatalogRestrictions=true
+        {{- end }}
         {{- if .Values.namespacedServiceBrokerEnabled }}
         - --feature-gates
         - NamespacedServiceBroker=true

pkg/apis/servicecatalog/types.go

@@ -101,6 +101,59 @@ type CommonServiceBrokerSpec struct {
 	// RelistRequests is a strictly increasing, non-negative integer counter that
 	// can be manually incremented by a user to manually trigger a relist.
 	RelistRequests int64
+
+	// CatalogRestrictions is a set of restrictions on which of a broker's services
+	// and plans have resources created for them.
+	CatalogRestrictions *CatalogRestrictions
+}
+
+// CatalogRestrictions is a set of restrictions on which of a broker's services
+// and plans have resources created for them.
+//
+// Some examples of this object are as follows:
+//
+// This is an example of a whitelist on service externalName.
+// Goal: Only list Services with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName in (FooService, BarService)"]
+// }
+//
+// This is an example of a blacklist on service externalName.
+// Goal: Allow all services except the ones with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName notin (FooService, BarService)"]
+// }
+//
+// This whitelists plans called "Demo", and blacklists (but only a single element in
+// the list) a service and a plan.
+// Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["name!=AABBB-CCDD-EEGG-HIJK"]
+// 		ServicePlan: ["externalName in (Demo)", "name!=AABBCC"]
+// }
+//
+// CatalogRestrictions strings have a special format similar to Label Selectors,
+// except the catalog supports only a very specific property set.
+//
+// The predicate format is expected to be `<property><conditional><requirement>`
+// Check the *Requirements type definition for which <property> strings will be allowed.
+// <conditional> is allowed to be one of the following: ==, !=, in, notin
+// <requirement> will be a string value if `==` or `!=` are used.
+// <requirement> will be a set of string values if `in` or `notin` are used.
+// Multiple predicates are allowed to be chained with a comma (,)
+//
+// ServiceClass allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+//
+// ServicePlan allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+type CatalogRestrictions struct {
+	// ServiceClass represents a selector for plans, used to filter catalog re-lists.
+	ServicePlan []string
+	// ServicePlan represents a selector for classes, used to filter catalog re-lists.
+	ServiceClass []string
 }
 
 // ClusterServiceBrokerSpec represents a description of a Broker.

pkg/apis/servicecatalog/v1beta1/conversion.go

@@ -16,7 +16,9 @@ limitations under the License.
 
 package v1beta1
 
-import "fmt"
+import (
+	"fmt"
+)
 
 // These functions are used for field selectors. They are only needed if
 // field selection is made available for types, hence we only have them for

pkg/apis/servicecatalog/v1beta1/filter.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"github.com/kubernetes-incubator/service-catalog/pkg/filter"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+// These are functions to support filtering and are class specific for the ClusterServiceClass and ClusterServicePlan
+// This is where we can add more fields to the labels.Set to support other kinds of catalog filtering.
+
+// ConvertClusterServiceClassToProperties takes a Service Class and pulls out the
+// properties we support for filtering, converting them into a map in the
+// expected format.
+func ConvertClusterServiceClassToProperties(serviceClass *ClusterServiceClass) filter.Properties {
+	if serviceClass == nil {
+		return labels.Set{}
+	}
+	return labels.Set{
+		FilterName:             serviceClass.Name,
+		FilterSpecExternalName: serviceClass.Spec.ExternalName,
+		FilterSpecExternalID:   serviceClass.Spec.ExternalID,
+	}
+}
+
+// ConvertClusterServicePlanToProperties takes a Service Plan and pulls out the
+// properties we support for filtering, converting them into a map in the
+// expected format.
+func ConvertClusterServicePlanToProperties(servicePlan *ClusterServicePlan) filter.Properties {
+	if servicePlan == nil {
+		return labels.Set{}
+	}
+	return labels.Set{
+		FilterName:                        servicePlan.Name,
+		FilterSpecExternalName:            servicePlan.Spec.ExternalName,
+		FilterSpecExternalID:              servicePlan.Spec.ExternalID,
+		FilterSpecClusterServiceClassName: servicePlan.Spec.ClusterServiceClassRef.Name,
+	}
+}

pkg/apis/servicecatalog/v1beta1/filter_test.go

@@ -0,0 +1,111 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"encoding/json"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestConvertClusterServiceClassToProperties(t *testing.T) {
+	cases := []struct {
+		name string
+		sc   *ClusterServiceClass
+		json string
+	}{
+		{
+			name: "nil object",
+			json: "{}",
+		},
+		{
+			name: "normal object",
+			sc: &ClusterServiceClass{
+				ObjectMeta: metav1.ObjectMeta{Name: "service-class"},
+				Spec: ClusterServiceClassSpec{
+					CommonServiceClassSpec: CommonServiceClassSpec{
+						ExternalName: "external-class-name",
+						ExternalID:   "external-id",
+					},
+				},
+			},
+			json: `{"name":"service-class","spec.externalID":"external-id","spec.externalName":"external-class-name"}`,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			p := ConvertClusterServiceClassToProperties(tc.sc)
+			if p == nil {
+				t.Fatalf("Failed to create Properties object from %+v", tc.sc)
+			}
+			b, err := json.Marshal(p)
+			if err != nil {
+				t.Fatalf("Unexpected error with json marchal, %v", err)
+			}
+			js := string(b)
+			if js != tc.json {
+				t.Fatalf("Failed to create expected Properties object,\n\texpected: \t%q,\n \tgot: \t\t%q", tc.json, js)
+			}
+		})
+	}
+}
+
+func TestConvertClusterServicePlanToProperties(t *testing.T) {
+	cases := []struct {
+		name string
+		sp   *ClusterServicePlan
+		json string
+	}{
+		{
+			name: "nil object",
+			json: "{}",
+		},
+		{
+			name: "normal object",
+			sp: &ClusterServicePlan{
+				ObjectMeta: metav1.ObjectMeta{Name: "service-plan"},
+				Spec: ClusterServicePlanSpec{
+					CommonServicePlanSpec: CommonServicePlanSpec{
+						ExternalName: "external-plan-name",
+						ExternalID:   "external-id",
+					},
+					ClusterServiceClassRef: ClusterObjectReference{
+						Name: "cluster-service-class-name",
+					},
+				},
+			},
+			json: `{"name":"service-plan","spec.clusterServiceClass.name":"cluster-service-class-name","spec.externalID":"external-id","spec.externalName":"external-plan-name"}`,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			p := ConvertClusterServicePlanToProperties(tc.sp)
+			if p == nil {
+				t.Fatalf("Failed to create Properties object from %+v", tc.sp)
+			}
+			b, err := json.Marshal(p)
+			if err != nil {
+				t.Fatalf("Unexpected error with json marchal, %v", err)
+			}
+			js := string(b)
+			if js != tc.json {
+				t.Fatalf("Failed to create expected Properties object,\n\texpected: \t%q,\n \tgot: \t\t%q", tc.json, js)
+			}
+		})
+	}
+}

pkg/apis/servicecatalog/v1beta1/types.go

@@ -121,6 +121,60 @@ type CommonServiceBrokerSpec struct {
 	// can be manually incremented by a user to manually trigger a relist.
 	// +optional
 	RelistRequests int64 `json:"relistRequests"`
+
+	// CatalogRestrictions is a set of restrictions on which of a broker's services
+	// and plans have resources created for them.
+	// +optional
+	CatalogRestrictions *CatalogRestrictions `json:"catalogRestrictions,omitempty"`
+}
+
+// CatalogRestrictions is a set of restrictions on which of a broker's services
+// and plans have resources created for them.
+//
+// Some examples of this object are as follows:
+//
+// This is an example of a whitelist on service externalName.
+// Goal: Only list Services with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName in (FooService, BarService)"]
+// }
+//
+// This is an example of a blacklist on service externalName.
+// Goal: Allow all services except the ones with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName notin (FooService, BarService)"]
+// }
+//
+// This whitelists plans called "Demo", and blacklists (but only a single element in
+// the list) a service and a plan.
+// Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["name!=AABBB-CCDD-EEGG-HIJK"]
+// 		ServicePlan: ["externalName in (Demo)", "name!=AABBCC"]
+// }
+//
+// CatalogRestrictions strings have a special format similar to Label Selectors,
+// except the catalog supports only a very specific property set.
+//
+// The predicate format is expected to be `<property><conditional><requirement>`
+// Check the *Requirements type definition for which <property> strings will be allowed.
+// <conditional> is allowed to be one of the following: ==, !=, in, notin
+// <requirement> will be a string value if `==` or `!=` are used.
+// <requirement> will be a set of string values if `in` or `notin` are used.
+// Multiple predicates are allowed to be chained with a comma (,)
+//
+// ServiceClass allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+//
+// ServicePlan allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+type CatalogRestrictions struct {
+	// ServiceClass represents a selector for plans, used to filter catalog re-lists.
+	ServiceClass []string `json:"serviceClass,omitempty"`
+	// ServicePlan represents a selector for classes, used to filter catalog re-lists.
+	ServicePlan []string `json:"servicePlan,omitempty"`
 }
 
 // ClusterServiceBrokerSpec represents a description of a Broker.
@@ -1250,6 +1304,18 @@ type ClusterObjectReference struct {
 	Name string `json:"name,omitempty"`
 }
 
+// Filter path for Properties
+const (
+	// Name field.
+	FilterName = "name"
+	// SpecExternalName is the external name of the object.
+	FilterSpecExternalName = "spec.externalName"
+	// SpecExternalID is the external id of the object.
+	FilterSpecExternalID = "spec.externalID"
+	// SpecClusterServiceClassName is only used for plans, the parent service class name.
+	FilterSpecClusterServiceClassName = "spec.clusterServiceClass.name"
+)
+
 // SecretTransform is a single transformation that is applied to the
 // credentials returned from the broker before they are inserted into
 // the Secret associated with the ServiceBinding.