Merge pull request #297 from zzxwill/inline-credentials

Support inline credentials besides provider
kubevela · May 10, 2022 · 50994f3 · 50994f3
2 parents 80fa089 + d40417a
commit 50994f3
Show file tree

Hide file tree

Showing 12 changed files with 217 additions and 142 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -151,3 +151,11 @@ Bucket Number is: 0
 
 0.030917(s) elapsed
 ```
+
+## Generate CRDs
+
+```shell
+$ make manifests
+go: creating new go.mod: module tmp
+/Users/zhouzhengxi/go/bin/controller-gen "crd:trivialVersions=true" webhook paths="./..." output:crd:artifacts:config=chart/crds
+```
diff --git a/api/v1beta2/configuration_types.go b/api/v1beta2/configuration_types.go
@@ -58,6 +58,15 @@ type BaseConfigurationSpec struct {
 	// ProviderReference specifies the reference to Provider
 	ProviderReference *types.Reference `json:"providerRef,omitempty"`
 
+	// InlineCredentials specifies the credentials in spec.HCl field as below.
+	//	provider "aws" {
+	//		region     = "us-west-2"
+	//		access_key = "my-access-key"
+	//		secret_key = "my-secret-key"
+	//	}
+	// Or indicates a Terraform module or configuration don't need credentials at all, like provider `random`
+	InlineCredentials bool `json:"inlineCredentials,omitempty"`
+
 	// DeleteResource will determine whether provisioned cloud resources will be deleted when CR is deleted
 	// +kubebuilder:default:=true
 	DeleteResource bool `json:"deleteResource,omitempty"`

diff --git a/chart/crds/terraform.core.oam.dev_configurations.yaml b/chart/crds/terraform.core.oam.dev_configurations.yaml
@@ -215,6 +215,13 @@ spec:
               hcl:
                 description: HCL is the Terraform HCL type configuration
                 type: string
+              inlineCredentials:
+                description: "InlineCredentials specifies the credentials in spec.HCl
+                  field as below. \tprovider \"aws\" { \t\tregion     = \"us-west-2\"
+                  \t\taccess_key = \"my-access-key\" \t\tsecret_key = \"my-secret-key\"
+                  \t} Or indicates a Terraform module or configuration don't need
+                  credentials at all, like provider `random`"
+                type: boolean
               path:
                 description: Path is the sub-directory of remote git repository.
                 type: string

diff --git a/controllers/configuration/configuration.go b/controllers/configuration/configuration.go
@@ -113,15 +113,17 @@ func Get(ctx context.Context, k8sClient client.Client, namespacedName apitypes.N
 // IsDeletable will check whether the Configuration can be deleted immediately
 // If deletable, it means no external cloud resources are provisioned
 func IsDeletable(ctx context.Context, k8sClient client.Client, configuration *v1beta2.Configuration) (bool, error) {
-	providerRef := GetProviderNamespacedName(*configuration)
-	providerObj, err := provider.GetProviderFromConfiguration(ctx, k8sClient, providerRef.Namespace, providerRef.Name)
-	if err != nil {
-		return false, err
-	}
-	// allow Configuration to delete when the Provider doesn't exist or is not ready, which means external cloud resources are
-	// not provisioned at all
-	if providerObj == nil || providerObj.Status.State == types.ProviderIsNotReady || configuration.Status.Apply.State == types.TerraformInitError {
-		return true, nil
+	if !configuration.Spec.InlineCredentials {
+		providerRef := GetProviderNamespacedName(*configuration)
+		providerObj, err := provider.GetProviderFromConfiguration(ctx, k8sClient, providerRef.Namespace, providerRef.Name)
+		if err != nil {
+			return false, err
+		}
+		// allow Configuration to delete when the Provider doesn't exist or is not ready, which means external cloud resources are
+		// not provisioned at all
+		if providerObj == nil || providerObj.Status.State == types.ProviderIsNotReady || configuration.Status.Apply.State == types.TerraformInitError {
+			return true, nil
+		}
 	}
 
 	if configuration.Status.Apply.State == types.ConfigurationProvisioningAndChecking {

diff --git a/controllers/configuration/configuration_test.go b/controllers/configuration/configuration_test.go
@@ -279,6 +279,31 @@ func TestIsDeletable(t *testing.T) {
 		Name:      "default",
 		Namespace: "default",
 	}
+	configuration.Spec.InlineCredentials = false
+
+	defaultConfiguration := &v1beta2.Configuration{}
+	defaultConfiguration.Spec.InlineCredentials = false
+
+	provisioningConfiguration := &v1beta2.Configuration{
+		Status: v1beta2.ConfigurationStatus{
+			Apply: v1beta2.ConfigurationApplyStatus{
+				State: types.ConfigurationProvisioningAndChecking,
+			},
+		},
+	}
+	provisioningConfiguration.Spec.InlineCredentials = false
+
+	readyConfiguration := &v1beta2.Configuration{
+		Status: v1beta2.ConfigurationStatus{
+			Apply: v1beta2.ConfigurationApplyStatus{
+				State: types.Available,
+			},
+		},
+	}
+	readyConfiguration.Spec.InlineCredentials = false
+
+	inlineConfiguration := &v1beta2.Configuration{}
+	inlineConfiguration.Spec.InlineCredentials = true
 
 	type args struct {
 		configuration *v1beta2.Configuration
@@ -297,7 +322,7 @@ func TestIsDeletable(t *testing.T) {
 			name: "provider is not found",
 			args: args{
 				k8sClient:     k8sClient1,
-				configuration: &v1beta2.Configuration{},
+				configuration: defaultConfiguration,
 			},
 			want: want{
 				deletable: true,
@@ -307,7 +332,7 @@ func TestIsDeletable(t *testing.T) {
 			name: "provider is not ready, use default providerRef",
 			args: args{
 				k8sClient:     k8sClient2,
-				configuration: &v1beta2.Configuration{},
+				configuration: defaultConfiguration,
 			},
 			want: want{
 				deletable: true,
@@ -326,14 +351,8 @@ func TestIsDeletable(t *testing.T) {
 		{
 			name: "configuration is provisioning",
 			args: args{
-				k8sClient: k8sClient3,
-				configuration: &v1beta2.Configuration{
-					Status: v1beta2.ConfigurationStatus{
-						Apply: v1beta2.ConfigurationApplyStatus{
-							State: types.ConfigurationProvisioningAndChecking,
-						},
-					},
-				},
+				k8sClient:     k8sClient3,
+				configuration: provisioningConfiguration,
 			},
 			want: want{
 				errMsg: "Destroy could not complete and needs to wait for Provision to complete first",
@@ -342,27 +361,31 @@ func TestIsDeletable(t *testing.T) {
 		{
 			name: "configuration is ready",
 			args: args{
-				k8sClient: k8sClient3,
-				configuration: &v1beta2.Configuration{
-					Status: v1beta2.ConfigurationStatus{
-						Apply: v1beta2.ConfigurationApplyStatus{
-							State: types.Available,
-						},
-					},
-				},
+				k8sClient:     k8sClient3,
+				configuration: readyConfiguration,
 			},
 			want: want{},
 		},
 		{
 			name: "failed to get provider",
 			args: args{
 				k8sClient:     k8sClient4,
-				configuration: &v1beta2.Configuration{},
+				configuration: defaultConfiguration,
 			},
 			want: want{
 				errMsg: "failed to get Provider object",
 			},
 		},
+		{
+			name: "no provider is needed",
+			args: args{
+				k8sClient:     k8sClient4,
+				configuration: inlineConfiguration,
+			},
+			want: want{
+				deletable: false,
+			},
+		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {

diff --git a/controllers/configuration_controller.go b/controllers/configuration_controller.go
@@ -267,7 +267,9 @@ func initTFConfigurationMeta(req ctrl.Request, configuration v1beta2.Configurati
 		meta.RemoteGitPath = configuration.Spec.Path
 	}
 
-	meta.ProviderReference = tfcfg.GetProviderNamespacedName(configuration)
+	if !configuration.Spec.InlineCredentials {
+		meta.ProviderReference = tfcfg.GetProviderNamespacedName(configuration)
+	}
 
 	// Check the existence of Terraform state secret which is used to store TF state file. For detailed information,
 	// please refer to https://www.terraform.io/docs/language/settings/backends/kubernetes.html#configuration-variables
@@ -519,20 +521,22 @@ func (r *ConfigurationReconciler) preCheck(ctx context.Context, configuration *v
 	}
 
 	// Check provider
-	p, err := provider.GetProviderFromConfiguration(ctx, k8sClient, meta.ProviderReference.Namespace, meta.ProviderReference.Name)
-	if p == nil {
-		msg := types.ErrProviderNotFound
-		if err != nil {
-			msg = err.Error()
-		}
-		if updateStatusErr := meta.updateApplyStatus(ctx, k8sClient, types.Authorizing, msg); updateStatusErr != nil {
-			return errors.Wrap(updateStatusErr, msg)
+	if !configuration.Spec.InlineCredentials {
+		p, err := provider.GetProviderFromConfiguration(ctx, k8sClient, meta.ProviderReference.Namespace, meta.ProviderReference.Name)
+		if p == nil {
+			msg := types.ErrProviderNotFound
+			if err != nil {
+				msg = err.Error()
+			}
+			if updateStatusErr := meta.updateApplyStatus(ctx, k8sClient, types.Authorizing, msg); updateStatusErr != nil {
+				return errors.Wrap(updateStatusErr, msg)
+			}
+			return errors.New(msg)
 		}
-		return errors.New(msg)
-	}
 
-	if err := meta.getCredentials(ctx, k8sClient, p); err != nil {
-		return err
+		if err := meta.getCredentials(ctx, k8sClient, p); err != nil {
+			return err
+		}
 	}
 
 	// Check whether env changes
@@ -953,7 +957,7 @@ func (meta *TFConfigurationMeta) prepareTFVariables(configuration *v1beta2.Confi
 	if configuration == nil {
 		return errors.New("configuration is nil")
 	}
-	if meta.ProviderReference == nil {
+	if !configuration.Spec.InlineCredentials && meta.ProviderReference == nil {
 		return errors.New("The referenced provider could not be retrieved")
 	}
 
@@ -972,7 +976,7 @@ func (meta *TFConfigurationMeta) prepareTFVariables(configuration *v1beta2.Confi
 		envs = append(envs, v1.EnvVar{Name: k, ValueFrom: valueFrom})
 	}
 
-	if meta.Credentials == nil {
+	if !configuration.Spec.InlineCredentials && meta.Credentials == nil {
 		return errors.New(provider.ErrCredentialNotRetrieved)
 	}
 	for k, v := range meta.Credentials {
@@ -981,10 +985,6 @@ func (meta *TFConfigurationMeta) prepareTFVariables(configuration *v1beta2.Confi
 		valueFrom.SecretKeyRef.Name = meta.VariableSecretName
 		envs = append(envs, v1.EnvVar{Name: k, ValueFrom: valueFrom})
 	}
-	// make sure the env of the Job is set
-	if envs == nil {
-		return errors.New(provider.ErrCredentialNotRetrieved)
-	}
 	meta.Envs = envs
 	meta.VariableSecretData = data
 

diff --git a/controllers/configuration_controller_test.go b/controllers/configuration_controller_test.go
@@ -17,10 +17,8 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -34,7 +32,6 @@ import (
 
 	"github.com/oam-dev/terraform-controller/api/types"
 	crossplane "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
-	runtimetypes "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
 	"github.com/oam-dev/terraform-controller/api/v1beta1"
 	"github.com/oam-dev/terraform-controller/api/v1beta2"
 	"github.com/oam-dev/terraform-controller/controllers/provider"
@@ -60,6 +57,7 @@ func TestInitTFConfigurationMeta(t *testing.T) {
 		Name:      "xxx",
 		Namespace: "default",
 	}
+	completeConfiguration.Spec.InlineCredentials = false
 
 	testcases := []struct {
 		name          string
@@ -1388,7 +1386,7 @@ func TestGetTFOutputs(t *testing.T) {
 	configuration4 := v1beta2.Configuration{
 		Spec: v1beta2.ConfigurationSpec{
 			BaseConfigurationSpec: v1beta2.BaseConfigurationSpec{
-				WriteConnectionSecretToReference: &runtimetypes.SecretReference{
+				WriteConnectionSecretToReference: &crossplane.SecretReference{
 					Name:      "connection-secret-c",
 					Namespace: "default",
 				},
@@ -1431,7 +1429,7 @@ func TestGetTFOutputs(t *testing.T) {
 		},
 		Spec: v1beta2.ConfigurationSpec{
 			BaseConfigurationSpec: v1beta2.BaseConfigurationSpec{
-				WriteConnectionSecretToReference: &runtimetypes.SecretReference{
+				WriteConnectionSecretToReference: &crossplane.SecretReference{
 					Name:      "connection-secret-d",
 					Namespace: "default",
 				},
@@ -1476,7 +1474,7 @@ func TestGetTFOutputs(t *testing.T) {
 		},
 		Spec: v1beta2.ConfigurationSpec{
 			BaseConfigurationSpec: v1beta2.BaseConfigurationSpec{
-				WriteConnectionSecretToReference: &runtimetypes.SecretReference{
+				WriteConnectionSecretToReference: &crossplane.SecretReference{
 					Name:      "connection-secret-e",
 					Namespace: "default",
 				},
@@ -1523,7 +1521,7 @@ func TestGetTFOutputs(t *testing.T) {
 		},
 		Spec: v1beta2.ConfigurationSpec{
 			BaseConfigurationSpec: v1beta2.BaseConfigurationSpec{
-				WriteConnectionSecretToReference: &runtimetypes.SecretReference{
+				WriteConnectionSecretToReference: &crossplane.SecretReference{
 					Name:      "connection-secret-e",
 					Namespace: "default",
 				},
@@ -1565,7 +1563,7 @@ func TestGetTFOutputs(t *testing.T) {
 		},
 		Spec: v1beta2.ConfigurationSpec{
 			BaseConfigurationSpec: v1beta2.BaseConfigurationSpec{
-				WriteConnectionSecretToReference: &runtimetypes.SecretReference{
+				WriteConnectionSecretToReference: &crossplane.SecretReference{
 					Name:      "connection-secret-d",
 					Namespace: "default",
 				},