Add a feature to introduce BucketPolicy (#233)

* Add bucketPolicy in type

* mod

* add new APIs in s3 backend

* add policies in RGW

* add policy

* policy

* lint

* tidy

* remove unnecessary prefix 'Bucket'

* remove meaningless comments

* add error messages

* add PolicyClient to subresourceClient

* fix code block in DEVELOPMENT

apis/provider-ceph/v1alpha1/bucket_types.go

@@ -85,6 +85,12 @@ type BucketParameters struct {
 	// AssumeRoleTags may be used to add custom values to an AssumeRole request.
 	// +optional
 	AssumeRoleTags []Tag `json:"assumeRoleTags,omitempty"`
+
+	// Policy is a JSON string of BucketPolicy.
+	// If it is set, Provider-Ceph calls PutBucketPolicy API after creating the bucket.
+	// Before adding it, you should validate the JSON string.
+	// +optional
+	Policy string `json:"policy,omitempty"`
 }
 
 // BackendInfo contains relevant information about an S3 backend for

docs/DEVELOPMENT.md

@@ -20,7 +20,7 @@ Spin up the test environment, but without Localstack and use your own external C
 
 ```
 AWS_ACCESS_KEY_ID=<your-access-key> AWS_SECRET_ACCESS_KEY=<yoursecret-key> CEPH_ADDRESS=<your-ceph-cluster-address> make dev-ceph
-`
+```
 
 In either case, after you've made some changes, kill (Ctrl+C) the existing `provider-ceph` and re-run it:
 

internal/backendstore/backend.go

@@ -41,6 +41,9 @@ type S3Client interface {
 	DeleteBucketLifecycle(context.Context, *s3.DeleteBucketLifecycleInput, ...func(*s3.Options)) (*s3.DeleteBucketLifecycleOutput, error)
 	GetBucketAcl(context.Context, *s3.GetBucketAclInput, ...func(*s3.Options)) (*s3.GetBucketAclOutput, error)
 	PutBucketAcl(context.Context, *s3.PutBucketAclInput, ...func(*s3.Options)) (*s3.PutBucketAclOutput, error)
+	PutBucketPolicy(context.Context, *s3.PutBucketPolicyInput, ...func(*s3.Options)) (*s3.PutBucketPolicyOutput, error)
+	GetBucketPolicy(context.Context, *s3.GetBucketPolicyInput, ...func(*s3.Options)) (*s3.GetBucketPolicyOutput, error)
+	DeleteBucketPolicy(context.Context, *s3.DeleteBucketPolicyInput, ...func(*s3.Options)) (*s3.DeleteBucketPolicyOutput, error)
 }
 
 //counterfeiter:generate . STSClient

internal/controller/bucket/consts.go

@@ -24,5 +24,9 @@ const (
 	errObserveAcl = "failed to observe bucket acl"
 	errHandleAcl  = "failed to handle bucket acl"
 
+	// Policy error messages.
+	errObservePolicy = "failed to observe bucket policy"
+	errHandlePolicy  = "failed to handle bucket policy"
+
 	True = "true"
 )

internal/controller/bucket/lifecycleconfiguration.go

@@ -32,11 +32,11 @@ type LifecycleConfigurationClient struct {
 	log             logging.Logger
 }
 
-// NewLifecycleConfigurationClient creates the client for Accelerate Configuration
 func NewLifecycleConfigurationClient(b *backendstore.BackendStore, h *s3clienthandler.Handler, l logging.Logger) *LifecycleConfigurationClient {
 	return &LifecycleConfigurationClient{backendStore: b, s3ClientHandler: h, log: l}
 }
 
+//nolint:dupl // LifecycleConfiguration and Policy are different feature.
 func (l *LifecycleConfigurationClient) Observe(ctx context.Context, bucket *v1alpha1.Bucket, backendNames []string) (ResourceStatus, error) {
 	ctx, span := otel.Tracer("").Start(ctx, "bucket.LifecycleConfigurationClient.Observe")
 	defer span.End()