feat: add v1alpha1 api version

api/gen.go

@@ -0,0 +1,15 @@
+//go:build generate
+// +build generate
+
+//go:generate rm -rf ../manifests/crd/bases
+//go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/[email protected] object:headerFile="../hack/copyright.go.txt" paths="./..."
+//go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/[email protected] rbac:roleName=manager-role crd webhook output:crd:artifacts:config=../manifests/crd/bases paths="./..."
+//go:generate cp ../manifests/crd/bases/natz.zeiss.com_natsaccounts.yaml ../helm/charts/natz-operator/templates/crds/natsaccounts.yaml
+//go:generate cp ../manifests/crd/bases/natz.zeiss.com_natsclusters.yaml ../helm/charts/natz-operator/templates/crds/natsoperators.yaml
+//go:generate cp ../manifests/crd/bases/natz.zeiss.com_natsstreamingclusters.yaml ../helm/charts/natz-operator/templates/crds/natsusers.yaml
+
+package api
+
+import (
+	_ "sigs.k8s.io/controller-tools/cmd/controller-gen" //nolint:typecheck
+)

api/v1alpha1/doc.go

@@ -0,0 +1,2 @@
+// +k8s:deepcopy-gen=package
+package v1alpha1

api/v1alpha1/groupversion_info.go

@@ -0,0 +1,21 @@
+// Package v1alpha1 contains API Schema definitions for the nats v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=natz.zeiss.com
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "natz.zeiss.com", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1alpha1/nats_account_types.go

@@ -0,0 +1,112 @@
+package v1alpha1
+
+import (
+	"time"
+
+	"github.com/nats-io/jwt/v2"
+	"github.com/samber/lo"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Export struct {
+	Name                 string              `json:"name,omitempty"`
+	Subject              jwt.Subject         `json:"subject,omitempty"`
+	Type                 jwt.ExportType      `json:"type,omitempty"`
+	TokenReq             bool                `json:"token_req,omitempty"`
+	Revocations          jwt.RevocationList  `json:"revocations,omitempty"`
+	ResponseType         jwt.ResponseType    `json:"response_type,omitempty"`
+	ResponseThreshold    time.Duration       `json:"response_threshold,omitempty"`
+	Latency              *jwt.ServiceLatency `json:"service_latency,omitempty"`
+	AccountTokenPosition uint                `json:"account_token_position,omitempty"`
+	Advertise            bool                `json:"advertise,omitempty"`
+	jwt.Info             `json:",inline"`
+}
+
+// OperatorLimits are used to limit access by an account
+type OperatorLimits struct {
+	jwt.NatsLimits            `json:",inline"`
+	jwt.AccountLimits         `json:",inline"`
+	jwt.JetStreamLimits       `json:",inline"`
+	jwt.JetStreamTieredLimits `json:"tiered_limits,omitempty"`
+}
+
+// NatsAccountSpec defines the desired state of NatsAccount
+type NatsAccountSpec struct {
+	// OperatorRef contains the NATS operator that should issue this account.
+	OperatorRef corev1.ObjectReference `json:"operatorRef,omitempty"`
+	// Namespaces that are allowed for user creation.
+	// If a NatsUser is referencing this account outside of these namespaces, the operator will create an event for it saying that it's not allowed.
+	AllowUserNamespaces []string `json:"allowedUserNamespaces,omitempty"`
+
+	// These fields are directly mappejwtd into the NATS JWT claim
+	Imports     []*jwt.Import      `json:"imports,omitempty"`
+	Exports     []Export           `json:"exports,omitempty"`
+	Limits      OperatorLimits     `json:"limits,omitempty"`
+	Revocations jwt.RevocationList `json:"revocations,omitempty"`
+
+	// FIXME: Scoped signing keys
+}
+
+func (s NatsAccountSpec) ToJWTAccount() jwt.Account {
+	exports := lo.Map(s.Exports, func(e Export, _ int) *jwt.Export {
+		return &jwt.Export{
+			Name:                 e.Name,
+			Subject:              e.Subject,
+			Type:                 e.Type,
+			TokenReq:             e.TokenReq,
+			Revocations:          e.Revocations,
+			ResponseType:         e.ResponseType,
+			ResponseThreshold:    e.ResponseThreshold,
+			Latency:              e.Latency,
+			AccountTokenPosition: e.AccountTokenPosition,
+			Advertise:            e.Advertise,
+			Info:                 e.Info,
+		}
+	})
+
+	return jwt.Account{
+		Imports: jwt.Imports(s.Imports),
+		Exports: jwt.Exports(exports),
+		Limits: jwt.OperatorLimits{
+			NatsLimits:            s.Limits.NatsLimits,
+			AccountLimits:         s.Limits.AccountLimits,
+			JetStreamLimits:       s.Limits.JetStreamLimits,
+			JetStreamTieredLimits: s.Limits.JetStreamTieredLimits,
+		},
+		SigningKeys: jwt.SigningKeys{},
+		Revocations: s.Revocations,
+	}
+}
+
+// NatsAccountStatus defines the observed state of NatsAccount
+type NatsAccountStatus struct {
+	AccountSecretName string `json:"accountSecretName,omitempty"`
+	PublicKey         string `json:"publicKey,omitempty"`
+	JWT               string `json:"jwt,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// NatsAccount is the Schema for the natsaccounts API
+type NatsAccount struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   NatsAccountSpec   `json:"spec,omitempty"`
+	Status NatsAccountStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// NatsAccountList contains a list of NatsAccount
+type NatsAccountList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NatsAccount `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NatsAccount{}, &NatsAccountList{})
+}

api/v1alpha1/nats_operator_types.go

@@ -0,0 +1,39 @@
+package v1alpha1
+
+import (
+	"github.com/nats-io/jwt/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type NatsOperatorSpec struct {
+	SigningKeys jwt.StringList `json:"signing_keys,omitempty"`
+}
+type NatsOperatorStatus struct {
+	OperatorSecretName string `json:"operatorSecretName,omitempty"`
+	PublicKey          string `json:"publicKey,omitempty"`
+	JWT                string `json:"jwt,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+type NatsOperator struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   NatsOperatorSpec   `json:"spec,omitempty"`
+	Status NatsOperatorStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// NatsOperatorList contains a list of NatsOperator
+type NatsOperatorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NatsOperator `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NatsOperator{}, &NatsOperatorList{})
+}

api/v1alpha1/nats_user_types.go

@@ -0,0 +1,112 @@
+package v1alpha1
+
+import (
+	"github.com/nats-io/jwt/v2"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Permissions struct {
+	Pub  Permission              `json:"pub,omitempty"`
+	Sub  Permission              `json:"sub,omitempty"`
+	Resp *jwt.ResponsePermission `json:"resp,omitempty"`
+}
+
+func (p Permissions) toNats() jwt.Permissions {
+	return jwt.Permissions{
+		Pub:  p.Pub.toNats(),
+		Sub:  p.Sub.toNats(),
+		Resp: p.Resp,
+	}
+}
+
+type Permission struct {
+	Allow jwt.StringList `json:"allow,omitempty"`
+	Deny  jwt.StringList `json:"deny,omitempty"`
+}
+
+func (p Permission) toNats() jwt.Permission {
+	return jwt.Permission{
+		Allow: p.Allow,
+		Deny:  p.Deny,
+	}
+}
+
+// NatsUserSpec defines the desired state of NatsUser
+type NatsUserSpec struct {
+	// AccountRef is the reference to the account that should sign this user
+	AccountRef             corev1.ObjectReference `json:"accountRef"`
+	Permissions            Permissions            `json:"permissions,omitempty"`
+	Limits                 Limits                 `json:"limits,omitempty"`
+	BearerToken            bool                   `json:"bearer_token,omitempty"`
+	AllowedConnectionTypes jwt.StringList         `json:"allowed_connection_types,omitempty"`
+}
+
+type UserLimits struct {
+	Src    jwt.CIDRList    `json:"src,omitempty"`
+	Times  []jwt.TimeRange `json:"times,omitempty"`
+	Locale string          `json:"times_location,omitempty"`
+}
+
+func (u UserLimits) toNats() jwt.UserLimits {
+	return jwt.UserLimits{
+		Src:    u.Src,
+		Times:  u.Times,
+		Locale: u.Locale,
+	}
+}
+
+type Limits struct {
+	UserLimits     `json:",inline"`
+	jwt.NatsLimits `json:",inline"`
+}
+
+func (l Limits) toNats() jwt.Limits {
+	return jwt.Limits{
+		UserLimits: l.UserLimits.toNats(),
+		NatsLimits: l.NatsLimits,
+	}
+}
+
+func (s NatsUserSpec) ToNatsJWT() jwt.User {
+	return jwt.User{
+		UserPermissionLimits: jwt.UserPermissionLimits{
+			Permissions:            s.Permissions.toNats(),
+			Limits:                 s.Limits.toNats(),
+			BearerToken:            s.BearerToken,
+			AllowedConnectionTypes: s.AllowedConnectionTypes,
+		},
+	}
+}
+
+// NatsUserStatus defines the observed state of NatsUser
+type NatsUserStatus struct {
+	UserSecretName string `json:"userSecretName,omitempty"`
+	PublicKey      string `json:"publicKey,omitempty"`
+	JWT            string `json:"jwt,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// NatsUser is the Schema for the natsusers API
+type NatsUser struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   NatsUserSpec   `json:"spec,omitempty"`
+	Status NatsUserStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// NatsUserList contains a list of NatsUser
+type NatsUserList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NatsUser `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NatsUser{}, &NatsUserList{})
+}