Add support for mapping APIKey manifests into secrets

PROJECT

@@ -20,4 +20,12 @@ resources:
   kind: Datasource
   path: github.com/K-Phoen/dark/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: k8s.kevingomez.fr
+  kind: APIKey
+  path: github.com/K-Phoen/dark/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/v1alpha1/apikey_types.go

@@ -0,0 +1,50 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+// Important: Run "make" to regenerate code after modifying this file
+
+// APIKeySpec defines the desired state of APIKey
+type APIKeySpec struct {
+	// +kubebuilder:validation:Enum=admin;editor;viewer
+	// +kubebuilder:validation:Required
+	Role string `json:"role"`
+}
+
+// APIKeyStatus defines the observed state of APIKey
+type APIKeyStatus struct {
+	Status  string `json:"status"`
+	Message string `json:"message"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:shortName=api-keys;apikeys;api-key;apikey;grafana-api-keys
+//+kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+//+kubebuilder:printcolumn:name="Message",type=string,JSONPath=`.status.message`
+
+// APIKey is the Schema for the apikeys API
+type APIKey struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   APIKeySpec   `json:"spec,omitempty"`
+	Status APIKeyStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// APIKeyList contains a list of APIKey
+type APIKeyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []APIKey `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&APIKey{}, &APIKeyList{})
+}

cmd/controller/main.go

@@ -11,6 +11,9 @@ import (
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
+	k8skevingomezfrv1 "github.com/K-Phoen/dark/api/v1"
+	k8skevingomezfrv1alpha1 "github.com/K-Phoen/dark/api/v1alpha1"
+	"github.com/K-Phoen/dark/internal/pkg/controllers"
 	"github.com/K-Phoen/grabana"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -20,10 +23,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-
-	k8skevingomezfrv1 "github.com/K-Phoen/dark/api/v1"
-	k8skevingomezfrv1alpha1 "github.com/K-Phoen/dark/api/v1alpha1"
-	"github.com/K-Phoen/dark/internal/pkg/controllers"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -104,6 +103,10 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Datasource")
 		os.Exit(1)
 	}
+	if err = controllers.StartAPIKeyReconciler(logger, mgr, grabanaClient); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "APIKey")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	// liveness and readiness probes

config/crd/bases/k8s.kevingomez.fr_apikeys.yaml

@@ -0,0 +1,82 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: apikeys.k8s.kevingomez.fr
+spec:
+  group: k8s.kevingomez.fr
+  names:
+    kind: APIKey
+    listKind: APIKeyList
+    plural: apikeys
+    shortNames:
+    - api-keys
+    - apikeys
+    - api-key
+    - apikey
+    - grafana-api-keys
+    singular: apikey
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.status
+      name: Status
+      type: string
+    - jsonPath: .status.message
+      name: Message
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIKey is the Schema for the apikeys API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: APIKeySpec defines the desired state of APIKey
+            properties:
+              role:
+                enum:
+                - admin
+                - editor
+                - viewer
+                type: string
+            required:
+            - role
+            type: object
+          status:
+            description: APIKeyStatus defines the observed state of APIKey
+            properties:
+              message:
+                type: string
+              status:
+                type: string
+            required:
+            - message
+            - status
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/kustomization.yaml

@@ -4,19 +4,22 @@
 resources:
 - bases/k8s.kevingomez.fr_grafanadashboards.yaml
 - bases/k8s.kevingomez.fr_datasources.yaml
+- bases/k8s.kevingomez.fr_apikeys.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_grafanadashboards.yaml
 #- patches/webhook_in_datasources.yaml
+#- patches/webhook_in_apikeys.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-operator, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_grafanadashboards.yaml
 #- patches/cainjection_in_datasources.yaml
+#- patches/cainjection_in_apikeys.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd/patches/cainjection_in_apikeys.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: apikeys.k8s.kevingomez.fr

config/crd/patches/webhook_in_apikeys.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: apikeys.k8s.kevingomez.fr
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1

config/rbac/apikey_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit apikeys.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: apikey-editor-role
+rules:
+- apiGroups:
+  - k8s.kevingomez.fr
+  resources:
+  - apikeys
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.kevingomez.fr
+  resources:
+  - apikeys/status
+  verbs:
+  - get

config/rbac/apikey_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view apikeys.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: apikey-viewer-role
+rules:
+- apiGroups:
+  - k8s.kevingomez.fr
+  resources:
+  - apikeys
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - k8s.kevingomez.fr
+  resources:
+  - apikeys/status
+  verbs:
+  - get