Skip to content

Commit

Permalink
Support Bucket policy (aws-controllers-k8s#36)
Browse files Browse the repository at this point in the history 
Adds support for creating, updating and delete bucket Policy. This field is simply a JSON string that applies IAM permissions to objects in the bucket. 

This is the first `Put*` field implemented so far that has a separate `Delete*` call, so the logic for `syncBucket` now checks accordingly.
  • Loading branch information
@RedbackThomson
RedbackThomson authored Aug 17, 2021
1 parent 0334a98 commit 830a807
Show file tree
Hide file tree
Showing 19 changed files with 750 additions and 25 deletions.
8 changes: 4 additions & 4 deletions apis/v1alpha1/ack-generate-metadata.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
ack_generate_info:
build_date: "2021-08-12T22:22:41Z"
build_date: "2021-08-12T23:12:20Z"
build_hash: 4d0db1b6f794e5221eb88b052b52a1a95017cf20
go_version: go1.15.6 linux/amd64
version: v0.9.2
api_directory_checksum: a111b8798ffa13b2cf948befafae28feaef463ab
api_directory_checksum: 0d04fca79a5350fa289a4aac8afd284351778233
api_version: v1alpha1
aws_sdk_go_version: v1.37.10
generator_config_info:
file_checksum: 85625c1a8af87eb3bbda9c6764a356bd3751cb31
file_checksum: b3cfb60b1b7154bc50d4c28096dfc75bf35a3767
original_file_name: generator.yaml
last_modification:
reason: API generation
timestamp: 2021-08-12 22:22:48.65031987 +0000 UTC
timestamp: 2021-08-12 23:12:25.389076653 +0000 UTC
2 changes: 2 additions & 0 deletions apis/v1alpha1/bucket.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions apis/v1alpha1/generator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,10 @@ resources:
from:
operation: PutBucketOwnershipControls
path: OwnershipControls
# Policy:
# from:
# operation: PutBucketPolicy
# path: Policy # Double check about ConfirmRemoveSelfBucketAccess
Policy:
from:
operation: PutBucketPolicy
path: Policy # Double check about ConfirmRemoveSelfBucketAccess
# Replication:
# from:
# operation: PutBucketReplication
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions config/crd/bases/s3.services.k8s.aws_buckets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,9 @@ spec:
type: object
type: array
type: object
policy:
description: The bucket policy as a JSON document.
type: string
requestPayment:
description: Container for Payer.
properties:
Expand Down
8 changes: 4 additions & 4 deletions generator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,10 @@ resources:
from:
operation: PutBucketOwnershipControls
path: OwnershipControls
# Policy:
# from:
# operation: PutBucketPolicy
# path: Policy # Double check about ConfirmRemoveSelfBucketAccess
Policy:
from:
operation: PutBucketPolicy
path: Policy # Double check about ConfirmRemoveSelfBucketAccess
# Replication:
# from:
# operation: PutBucketReplication
Expand Down
4 changes: 2 additions & 2 deletions helm/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
name: ack-s3-controller
name: s3-chart
description: A Helm chart for the ACK service controller for s3
version: v0.0.2
appVersion: v0.0.2
Expand All @@ -10,7 +10,7 @@ sources:
maintainers:
- name: ACK Admins
url: https://github.com/orgs/aws-controllers-k8s/teams/ack-admin
- name: S3 Admins
- name: s3 Admins
url: https://github.com/orgs/aws-controllers-k8s/teams/s3-maintainer
keywords:
- aws
Expand Down
239 changes: 234 additions & 5 deletions helm/crds/s3.services.k8s.aws_buckets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
controller-gen.kubebuilder.io/version: v0.6.1
creationTimestamp: null
name: buckets.s3.services.k8s.aws
spec:
Expand Down Expand Up @@ -34,29 +34,258 @@ spec:
metadata:
type: object
spec:
description: BucketSpec defines the desired state of Bucket
description: "BucketSpec defines the desired state of Bucket. \n In terms
of implementation, a Bucket is a resource. An Amazon S3 bucket name
is globally unique, and the namespace is shared by all AWS accounts."
properties:
accelerate:
description: Container for setting the transfer acceleration state.
properties:
status:
type: string
type: object
acl:
description: The canned ACL to apply to the bucket.
type: string
cors:
description: Describes the cross-origin access configuration for objects
in an Amazon S3 bucket. For more information, see Enabling Cross-Origin
Resource Sharing (https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html)
in the Amazon Simple Storage Service Developer Guide.
properties:
corsRules:
items:
description: Specifies a cross-origin access rule for an Amazon
S3 bucket.
properties:
allowedHeaders:
items:
type: string
type: array
allowedMethods:
items:
type: string
type: array
allowedOrigins:
items:
type: string
type: array
exposeHeaders:
items:
type: string
type: array
maxAgeSeconds:
format: int64
type: integer
type: object
type: array
type: object
createBucketConfiguration:
description: The configuration information for the bucket.
properties:
locationConstraint:
type: string
type: object
encryption:
description: Specifies the default server-side-encryption configuration.
properties:
rules:
items:
description: Specifies the default server-side encryption configuration.
properties:
applyServerSideEncryptionByDefault:
description: Describes the default server-side encryption
to apply to new objects in the bucket. If a PUT Object
request doesn't specify any server-side encryption, this
default encryption will be applied. For more information,
see PUT Bucket encryption (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html)
in the Amazon Simple Storage Service API Reference.
properties:
kmsMasterKeyID:
type: string
sseAlgorithm:
type: string
type: object
bucketKeyEnabled:
type: boolean
type: object
type: array
type: object
grantFullControl:
description: Allows grantee the read, write, read ACP, and write ACP
permissions on the bucket.
type: string
grantRead:
description: Allows grantee to list the objects in the bucket.
type: string
grantReadACP:
description: Allows grantee to read the bucket ACL.
type: string
grantWrite:
description: Allows grantee to create, overwrite, and delete any object
in the bucket.
type: string
grantWriteACP:
description: Allows grantee to write the ACL for the applicable bucket.
type: string
logging:
description: Container for logging status information.
properties:
loggingEnabled:
description: Describes where logs are stored and the prefix that
Amazon S3 assigns to all log object keys for a bucket. For more
information, see PUT Bucket logging (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html)
in the Amazon Simple Storage Service API Reference.
properties:
targetBucket:
type: string
targetGrants:
items:
description: Container for granting information.
properties:
grantee:
description: Container for the person being granted
permissions.
properties:
displayName:
type: string
emailAddress:
type: string
id:
type: string
type_:
type: string
uRI:
type: string
type: object
permission:
type: string
type: object
type: array
targetPrefix:
type: string
type: object
type: object
name:
description: The name of the bucket to create.
type: string
objectLockEnabledForBucket:
description: Specifies whether you want S3 Object Lock to be enabled
for the new bucket.
type: boolean
ownershipControls:
description: The OwnershipControls (BucketOwnerPreferred or ObjectWriter)
that you want to apply to this Amazon S3 bucket.
properties:
rules:
items:
description: The container element for an ownership control
rule.
properties:
objectOwnership:
description: "The container element for object ownership
for a bucket's ownership controls. \n BucketOwnerPreferred
- Objects uploaded to the bucket change ownership to the
bucket owner if the objects are uploaded with the bucket-owner-full-control
canned ACL. \n ObjectWriter - The uploading account will
own the object if the object is uploaded with the bucket-owner-full-control
canned ACL."
type: string
type: object
type: array
type: object
policy:
description: The bucket policy as a JSON document.
type: string
requestPayment:
description: Container for Payer.
properties:
payer:
type: string
type: object
tagging:
description: Container for the TagSet and Tag elements.
properties:
tagSet:
items:
description: A container of a key value name pair.
properties:
key:
type: string
value:
type: string
type: object
type: array
type: object
versioning:
description: Container for setting the versioning state.
properties:
status:
type: string
type: object
website:
description: Container for the request.
properties:
errorDocument:
description: The error information.
properties:
key:
type: string
type: object
indexDocument:
description: Container for the Suffix element.
properties:
suffix:
type: string
type: object
redirectAllRequestsTo:
description: Specifies the redirect behavior of all requests to
a website endpoint of an Amazon S3 bucket.
properties:
hostName:
type: string
protocol:
type: string
type: object
routingRules:
items:
description: Specifies the redirect behavior and when a redirect
is applied. For more information about routing rules, see
Configuring advanced conditional redirects (https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html#advanced-conditional-redirects)
in the Amazon Simple Storage Service Developer Guide.
properties:
condition:
description: A container for describing a condition that
must be met for the specified redirect to apply. For example,
1. If request is for pages in the /docs folder, redirect
to the /documents folder. 2. If request results in HTTP
error 4xx, redirect request to another host where you
might process the error.
properties:
httpErrorCodeReturnedEquals:
type: string
keyPrefixEquals:
type: string
type: object
redirect:
description: Specifies how requests are redirected. In the
event of an error, you can specify a different error code
to return.
properties:
hostName:
type: string
httpRedirectCode:
type: string
protocol:
type: string
replaceKeyPrefixWith:
type: string
replaceKeyWith:
type: string
type: object
type: object
type: array
type: object
required:
- name
type: object
Expand Down Expand Up @@ -120,10 +349,10 @@ spec:
type: object
type: array
location:
description: Specifies the Region where the bucket will be created.
If you are creating a bucket on the US East (N. Virginia) Region
(us-east-1), you do not need to specify the location.
type: string
required:
- ackResourceMetadata
- conditions
type: object
type: object
served: true
Expand Down
Loading

0 comments on commit 830a807

Please sign in to comment.