Merge pull request projectcalico#521 from tigera/SAAS-1546

[SAAS-1546] Add DPI resource

Author: marvin-tigera

config/crd/crd.projectcalico.org_deeppacketinspections.yaml

@@ -0,0 +1,110 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: deeppacketinspections.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: DeepPacketInspection
+    listKind: DeepPacketInspectionList
+    plural: deeppacketinspections
+    singular: deeppacketinspection
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DeepPacketInspectionSpec contains the values of the deep
+              packet inspection.
+            properties:
+              selector:
+                description: "The selector is an expression used to pick out the endpoints
+                  for which deep packet inspection should be performed on. The selector
+                  will only match endpoints in the same namespace as the DeepPacketInspection
+                  resource. \n Selector expressions follow this syntax: \n \tlabel
+                  == \"string_literal\"  ->  comparison, e.g. my_label == \"foo bar\"
+                  \tlabel != \"string_literal\"   ->  not equal; also matches if label
+                  is not present \tlabel in { \"a\", \"b\", \"c\", ... }  ->  true
+                  if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not
+                  in { \"a\", \"b\", \"c\", ... }  ->  true if the value of label
+                  X is not one of \"a\", \"b\", \"c\" \thas(label_name)  -> True if
+                  that label is present \t! expr -> negation of expr \texpr && expr
+                  \ -> Short-circuit and \texpr || expr  -> Short-circuit or \t( expr
+                  ) -> parens for grouping \tall() or the empty selector -> matches
+                  all endpoints. \n Label names are allowed to contain alphanumerics,
+                  -, _ and /. String literals are more permissive but they do not
+                  support escape characters. \n Examples (with made-up labels): \n
+                  \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\",
+                  \"backend\"} \tdeployment != \"dev\" \t! has(label_name)"
+                type: string
+            type: object
+          status:
+            description: DeepPacketInspectionStatus contains status of deep packet
+              inspection in each node.
+            properties:
+              nodes:
+                items:
+                  properties:
+                    active:
+                      properties:
+                        lastUpdated:
+                          description: Timestamp of when the active status was last
+                            updated.
+                          format: date-time
+                          type: string
+                        success:
+                          description: Success indicates if deep packet inspection
+                            is running on all workloads matching the selector.
+                          type: boolean
+                      type: object
+                    errorConditions:
+                      items:
+                        properties:
+                          lastUpdated:
+                            description: Timestamp of when this error message was
+                              added.
+                            format: date-time
+                            type: string
+                          message:
+                            description: Message from deep packet inspection error.
+                            type: string
+                        type: object
+                      maxItems: 10
+                      type: array
+                    node:
+                      description: Node identifies with a physical node from the cluster
+                        via its hostname.
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

lib/apis/crd.projectcalico.org/v1/deeppacketinspection_type.go

@@ -0,0 +1,21 @@
+// Copyright (c) 2021 Tigera, Inc. All rights reserved.
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	v3 "github.com/projectcalico/libcalico-go/lib/apis/v3"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// +kubebuilder:subresource:status
+// +k8s:openapi-gen=true
+type DeepPacketInspection struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              v3.DeepPacketInspectionSpec   `json:"spec,omitempty"`
+	Status            v3.DeepPacketInspectionStatus `json:"status,omitempty"`
+}

lib/apis/v3/deeppacketinspection.go

@@ -0,0 +1,115 @@
+// Copyright (c) 2021 Tigera, Inc. All rights reserved.
+
+package v3
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	KindDeepPacketInspection     = "DeepPacketInspection"
+	KindDeepPacketInspectionList = "DeepPacketInspectionList"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:subresource:status
+
+type DeepPacketInspection struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// Specification of the DeepPacketInspection.
+	Spec DeepPacketInspectionSpec `json:"spec,omitempty"`
+	// Status of the DeepPacketInspection.
+	Status DeepPacketInspectionStatus `json:"status,omitempty"`
+}
+
+// DeepPacketInspectionSpec contains the values of the deep packet inspection.
+type DeepPacketInspectionSpec struct {
+	// The selector is an expression used to pick out the endpoints for which deep packet inspection should
+	// be performed on. The selector will only match endpoints in the same namespace as the
+	// DeepPacketInspection resource.
+	//
+	// Selector expressions follow this syntax:
+	//
+	// 	label == "string_literal"  ->  comparison, e.g. my_label == "foo bar"
+	// 	label != "string_literal"   ->  not equal; also matches if label is not present
+	// 	label in { "a", "b", "c", ... }  ->  true if the value of label X is one of "a", "b", "c"
+	// 	label not in { "a", "b", "c", ... }  ->  true if the value of label X is not one of "a", "b", "c"
+	// 	has(label_name)  -> True if that label is present
+	// 	! expr -> negation of expr
+	// 	expr && expr  -> Short-circuit and
+	// 	expr || expr  -> Short-circuit or
+	// 	( expr ) -> parens for grouping
+	// 	all() or the empty selector -> matches all endpoints.
+	//
+	// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
+	// but they do not support escape characters.
+	//
+	// Examples (with made-up labels):
+	//
+	// 	type == "webserver" && deployment == "prod"
+	// 	type in {"frontend", "backend"}
+	// 	deployment != "dev"
+	// 	! has(label_name)
+	Selector string `json:"selector,omitempty" validate:"selector"`
+}
+
+// DeepPacketInspectionStatus contains status of deep packet inspection in each node.
+type DeepPacketInspectionStatus struct {
+	Nodes []DPINode `json:"nodes,omitempty"`
+}
+
+type DPINode struct {
+	// Node identifies with a physical node from the cluster via its hostname.
+	Node   string    `json:"node,omitempty"`
+	Active DPIActive `json:"active,omitempty"`
+	// +kubebuilder:validation:MaxItems:=10
+	ErrorConditions []DPIErrorCondition `json:"errorConditions,omitempty"`
+}
+
+type DPIActive struct {
+	// Success indicates if deep packet inspection is running on all workloads matching the selector.
+	Success bool `json:"success,omitempty"`
+	// Timestamp of when the active status was last updated.
+	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
+}
+
+type DPIErrorCondition struct {
+	// Message from deep packet inspection error.
+	Message string `json:"message,omitempty"`
+	// Timestamp of when this error message was added.
+	LastUpdated *metav1.Time `json:"lastUpdated,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeepPacketInspectionList contains list of DeepPacketInspection resource.
+type DeepPacketInspectionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []DeepPacketInspection `json:"items"`
+}
+
+// NewDeepPacketInspection creates a new (zeroed) DeepPacketInspection struct with the TypeMetadata
+// initialized to the current version.
+func NewDeepPacketInspection() *DeepPacketInspection {
+	return &DeepPacketInspection{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       KindDeepPacketInspection,
+			APIVersion: GroupVersionCurrent,
+		},
+	}
+}
+
+// NewDeepPacketInspectionList creates a new zeroed) DeepPacketInspectionList struct with the TypeMetadata
+// initialized to the current version.
+func NewDeepPacketInspectionList() *DeepPacketInspectionList {
+	return &DeepPacketInspectionList{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       KindDeepPacketInspectionList,
+			APIVersion: GroupVersionCurrent,
+		},
+	}
+}