ApplicationCredential Actuator and Status

On-behalf-of: SAP nils.gondermann@sap.com

Author: gndrmnn

internal/controllers/applicationcredential/actuator.go

@@ -18,6 +18,7 @@ package applicationcredential
 
 import (
 	"context"
+	"fmt"
 	"iter"
 
 	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
@@ -29,7 +30,6 @@ import (
 	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/interfaces"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/progress"
-	"github.com/k-orc/openstack-resource-controller/v2/internal/logging"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/osclients"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/util/dependency"
 	orcerrors "github.com/k-orc/openstack-resource-controller/v2/internal/util/errors"
@@ -41,7 +41,6 @@ type (
 
 	createResourceActuator = interfaces.CreateResourceActuator[orcObjectPT, orcObjectT, filterT, osResourceT]
 	deleteResourceActuator = interfaces.DeleteResourceActuator[orcObjectPT, orcObjectT, osResourceT]
-	resourceReconciler     = interfaces.ResourceReconciler[orcObjectPT, osResourceT]
 	helperFactory          = interfaces.ResourceHelperFactory[orcObjectPT, orcObjectT, resourceSpecT, filterT, osResourceT]
 )
 
@@ -65,33 +64,54 @@ func (actuator applicationcredentialActuator) GetOSResourceByID(ctx context.Cont
 	return resource, nil
 }
 
+func (actuator applicationcredentialActuator) ResolveUserIDDependency(ctx context.Context, orcObject orcObjectPT) (*string, progress.ReconcileStatus) {
+	user, rs := userDependency.GetDependency(
+		ctx, actuator.k8sClient, orcObject, func(dep *orcv1alpha1.User) bool {
+			return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
+		},
+	)
+
+	if user == nil {
+		return nil, rs
+	}
+
+	return user.Status.ID, rs
+}
+
 func (actuator applicationcredentialActuator) ListOSResourcesForAdoption(ctx context.Context, orcObject orcObjectPT) (iter.Seq2[*osResourceT, error], bool) {
 	resourceSpec := orcObject.Spec.Resource
 	if resourceSpec == nil {
 		return nil, false
 	}
 
-	// TODO(scaffolding) If you need to filter resources on fields that the List() function
-	// of gophercloud does not support, it's possible to perform client-side filtering.
-	// Check osclients.ResourceFilter
+	user, _ := dependency.FetchDependency(
+		ctx, actuator.k8sClient, orcObject.Namespace,
+		&resourceSpec.UserRef, "User",
+		func(dep *orcv1alpha1.User) bool { return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil },
+	)
+
+	var filters []osclients.ResourceFilter[osResourceT]
+
+	// Add client-side filters
+	if resourceSpec.Description != nil {
+		filters = append(filters, func(f *applicationcredentials.ApplicationCredential) bool {
+			return f.Description == *resourceSpec.Description
+		})
+	}
 
 	listOpts := applicationcredentials.ListOpts{
-		Name:        getResourceName(orcObject),
-		Description: ptr.Deref(resourceSpec.Description, ""),
+		Name: getResourceName(orcObject),
 	}
 
-	return actuator.osClient.ListApplicationCredentials(ctx, listOpts), true
+	return actuator.listOSResources(ctx, ptr.Deref(user.Status.ID, ""), filters, listOpts), true
 }
 
 func (actuator applicationcredentialActuator) ListOSResourcesForImport(ctx context.Context, obj orcObjectPT, filter filterT) (iter.Seq2[*osResourceT, error], progress.ReconcileStatus) {
-	// TODO(scaffolding) If you need to filter resources on fields that the List() function
-	// of gophercloud does not support, it's possible to perform client-side filtering.
-	// Check osclients.ResourceFilter
 	var reconcileStatus progress.ReconcileStatus
 
 	user, rs := dependency.FetchDependency(
 		ctx, actuator.k8sClient, obj.Namespace,
-		filter.UserRef, "User",
+		&filter.UserRef, "User",
 		func(dep *orcv1alpha1.User) bool { return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil },
 	)
 	reconcileStatus = reconcileStatus.WithReconcileStatus(rs)
@@ -100,14 +120,25 @@ func (actuator applicationcredentialActuator) ListOSResourcesForImport(ctx conte
 		return nil, reconcileStatus
 	}
 
+	var filters []osclients.ResourceFilter[osResourceT]
+
+	// Add client-side filters
+	if filter.Description != nil {
+		filters = append(filters, func(f *applicationcredentials.ApplicationCredential) bool {
+			return f.Description == *filter.Description
+		})
+	}
+
 	listOpts := applicationcredentials.ListOpts{
-		Name:        string(ptr.Deref(filter.Name, "")),
-		Description: string(ptr.Deref(filter.Description, "")),
-		UserID:  ptr.Deref(user.Status.ID, ""),
-		// TODO(scaffolding): Add more import filters
+		Name: string(ptr.Deref(filter.Name, "")),
 	}
 
-	return actuator.osClient.ListApplicationCredentials(ctx, listOpts), reconcileStatus
+	return actuator.listOSResources(ctx, ptr.Deref(user.Status.ID, ""), filters, listOpts), nil
+}
+
+func (actuator applicationcredentialActuator) listOSResources(ctx context.Context, userID string, filters []osclients.ResourceFilter[osResourceT], listOpts applicationcredentials.ListOptsBuilder) iter.Seq2[*applicationcredentials.ApplicationCredential, error] {
+	applicationCredentials := actuator.osClient.ListApplicationCredentials(ctx, userID, listOpts)
+	return osclients.Filter(applicationCredentials, filters...)
 }
 
 func (actuator applicationcredentialActuator) CreateResource(ctx context.Context, obj orcObjectPT) (*osResourceT, progress.ReconcileStatus) {
@@ -118,116 +149,129 @@ func (actuator applicationcredentialActuator) CreateResource(ctx context.Context
 		return nil, progress.WrapError(
 			orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "Creation requested, but spec.resource is not set"))
 	}
+
 	var reconcileStatus progress.ReconcileStatus
 
-	var userID string
-        user, userDepRS := userDependency.GetDependency(
-                ctx, actuator.k8sClient, obj, func(dep *orcv1alpha1.User) bool {
-                        return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
-                },
-        )
-        reconcileStatus = reconcileStatus.WithReconcileStatus(userDepRS)
-        if user != nil {
-                userID = ptr.Deref(user.Status.ID, "")
-        }
-	if needsReschedule, _ := reconcileStatus.NeedsReschedule(); needsReschedule {
-		return nil, reconcileStatus
-	}
-	createOpts := applicationcredentials.CreateOpts{
-		Name:        getResourceName(obj),
-		Description: ptr.Deref(resource.Description, ""),
-		UserID:  userID,
-		// TODO(scaffolding): Add more fields
-	}
+	user, userDepRS := userDependency.GetDependency(
+		ctx, actuator.k8sClient, obj, func(dep *orcv1alpha1.User) bool {
+			return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
+		},
+	)
 
-	osResource, err := actuator.osClient.CreateApplicationCredential(ctx, createOpts)
-	if err != nil {
-		// We should require the spec to be updated before retrying a create which returned a conflict
-		if !orcerrors.IsRetryable(err) {
-			err = orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "invalid configuration creating resource: "+err.Error(), err)
+	rolesMap, roleDepRs := roleDependency.GetDependencies(
+		ctx, actuator.k8sClient, obj, func(dep *orcv1alpha1.Role) bool {
+			return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
+		},
+	)
+
+	serviceMap, serviceDepRS := serviceDependency.GetDependencies(
+		ctx, actuator.k8sClient, obj, func(dep *orcv1alpha1.Service) bool {
+			return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
+		},
+	)
+
+	secret, secretReconcileStatus := dependency.FetchDependency(
+		ctx, actuator.k8sClient, obj.Namespace,
+		&resource.SecretRef, "Secret",
+		func(*corev1.Secret) bool { return true }, // Secrets don't have availability status
+	)
+
+	var secretData []byte
+	if secretReconcileStatus == nil {
+		var ok bool
+		secretData, ok = secret.Data["value"]
+		if !ok {
+			reconcileStatus = reconcileStatus.WithReconcileStatus(
+				progress.NewReconcileStatus().WithProgressMessage("Application credential secret does not contain \"value\" key"))
 		}
-		return nil, progress.WrapError(err)
 	}
 
-	return osResource, nil
-}
-
-func (actuator applicationcredentialActuator) DeleteResource(ctx context.Context, _ orcObjectPT, resource *osResourceT) progress.ReconcileStatus {
-	return progress.WrapError(actuator.osClient.DeleteApplicationCredential(ctx, resource.ID))
-}
+	reconcileStatus = reconcileStatus.
+		WithReconcileStatus(userDepRS).
+		WithReconcileStatus(roleDepRs).
+		WithReconcileStatus(serviceDepRS).
+		WithReconcileStatus(secretReconcileStatus)
 
-func (actuator applicationcredentialActuator) updateResource(ctx context.Context, obj orcObjectPT, osResource *osResourceT) progress.ReconcileStatus {
-	log := ctrl.LoggerFrom(ctx)
-	resource := obj.Spec.Resource
-	if resource == nil {
-		// Should have been caught by API validation
-		return progress.WrapError(
-			orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "Update requested, but spec.resource is not set"))
+	if needsReschedule, _ := reconcileStatus.NeedsReschedule(); needsReschedule {
+		return nil, reconcileStatus
 	}
 
-	updateOpts := applicationcredentials.UpdateOpts{}
+	roleList := make([]applicationcredentials.Role, len(resource.RoleRefs))
+	for i := range resource.RoleRefs {
+		roleName := string(resource.RoleRefs[i])
+		role, ok := rolesMap[roleName]
+		if !ok {
+			// Programming error
+			return nil, progress.WrapError(fmt.Errorf("role %s was not returned by GetDependencies", roleName))
+		}
+		roleList[i].ID = *role.Status.ID
+	}
 
-	handleNameUpdate(&updateOpts, obj, osResource)
-	handleDescriptionUpdate(&updateOpts, resource, osResource)
+	accessRuleList := make([]applicationcredentials.AccessRule, len(resource.AccessRules))
+	for i := range resource.AccessRules {
+		accessRuleSpec := &resource.AccessRules[i]
+		accessRule := &accessRuleList[i]
+
+		if accessRuleSpec.ServiceRef != nil {
+			serviceName := string(*accessRuleSpec.ServiceRef)
+			service, ok := serviceMap[serviceName]
+			if !ok {
+				// Programming error
+				return nil, progress.WrapError(fmt.Errorf("service %s was not returned by GetDependencies", serviceName))
+			}
+			accessRule.Service = service.Status.Resource.Type
+		}
 
-	// TODO(scaffolding): add handler for all fields supporting mutability
+		if accessRuleSpec.Path != nil {
+			accessRule.Path = *accessRuleSpec.Path
+		}
 
-	needsUpdate, err := needsUpdate(updateOpts)
-	if err != nil {
-		return progress.WrapError(
-			orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "invalid configuration updating resource: "+err.Error(), err))
-	}
-	if !needsUpdate {
-		log.V(logging.Debug).Info("No changes")
-		return nil
+		if accessRuleSpec.Method != nil {
+			accessRule.Method = string(*accessRuleSpec.Method)
+		}
 	}
 
-	_, err = actuator.osClient.UpdateApplicationCredential(ctx, osResource.ID, updateOpts)
+	createOpts := applicationcredentials.CreateOpts{
+		Name:         getResourceName(obj),
+		Description:  ptr.Deref(resource.Description, ""),
+		Unrestricted: ptr.Deref(resource.Unrestricted, false),
+		Secret:       string(secretData),
+		Roles:        roleList,
+		AccessRules:  accessRuleList,
+	}
 
-	// We should require the spec to be updated before retrying an update which returned a conflict
-	if orcerrors.IsConflict(err) {
-		err = orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "invalid configuration updating resource: "+err.Error(), err)
+	if resource.ExpiresAt != nil {
+		createOpts.ExpiresAt = &resource.ExpiresAt.Time
 	}
 
+	osResource, err := actuator.osClient.CreateApplicationCredential(ctx, ptr.Deref(user.Status.ID, ""), createOpts)
 	if err != nil {
-		return progress.WrapError(err)
+		// We should require the spec to be updated before retrying a create which returned a conflict
+		if !orcerrors.IsRetryable(err) {
+			err = orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "invalid configuration creating resource: "+err.Error(), err)
+		}
+		return nil, progress.WrapError(err)
 	}
 
-	return progress.NeedsRefresh()
+	return osResource, nil
 }
 
-func needsUpdate(updateOpts applicationcredentials.UpdateOpts) (bool, error) {
-	updateOptsMap, err := updateOpts.ToApplicationCredentialUpdateMap()
-	if err != nil {
-		return false, err
-	}
-
-	updateMap, ok := updateOptsMap["application_credentials"].(map[string]any)
-	if !ok {
-		updateMap = make(map[string]any)
-	}
+func (actuator applicationcredentialActuator) DeleteResource(ctx context.Context, orcObject orcObjectPT, resource *osResourceT) progress.ReconcileStatus {
+	var reconcileStatus progress.ReconcileStatus
 
-	return len(updateMap) > 0, nil
-}
+	user, userDepRS := userDependency.GetDependency(
+		ctx, actuator.k8sClient, orcObject, func(dep *orcv1alpha1.User) bool {
+			return orcv1alpha1.IsAvailable(dep) && dep.Status.ID != nil
+		},
+	)
 
-func handleNameUpdate(updateOpts *applicationcredentials.UpdateOpts, obj orcObjectPT, osResource *osResourceT) {
-	name := getResourceName(obj)
-	if osResource.Name != name {
-		updateOpts.Name = &name
-	}
-}
+	reconcileStatus = reconcileStatus.WithReconcileStatus(userDepRS)
 
-func handleDescriptionUpdate(updateOpts *applicationcredentials.UpdateOpts, resource *resourceSpecT, osResource *osResourceT) {
-	description := ptr.Deref(resource.Description, "")
-	if osResource.Description != description {
-		updateOpts.Description = &description
+	if needsReschedule, _ := reconcileStatus.NeedsReschedule(); needsReschedule {
+		return reconcileStatus
 	}
-}
 
-func (actuator applicationcredentialActuator) GetResourceReconcilers(ctx context.Context, orcObject orcObjectPT, osResource *osResourceT, controller interfaces.ResourceController) ([]resourceReconciler, progress.ReconcileStatus) {
-	return []resourceReconciler{
-		actuator.updateResource,
-	}, nil
+	return progress.WrapError(actuator.osClient.DeleteApplicationCredential(ctx, ptr.Deref(user.Status.ID, ""), resource.ID))
 }
 
 type applicationcredentialHelperFactory struct{}