From 0b03eea8b740510da4bec57509b929a22d3d9522 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 2 Jan 2025 14:44:04 +0200 Subject: [PATCH 1/3] Rename `spec.service` to `spec.workload` in KafkaServerConfig api version `v2alpha1` --- .../api/v1alpha2/kafkaserverconfig_types.go | 4 +-- src/operator/api/v1alpha3/webhooks.go | 8 ++--- src/operator/api/v1beta1/webhooks.go | 8 ++--- .../api/v2alpha1/kafkaserverconfig_types.go | 2 +- .../api/v2alpha1/zz_generated.deepcopy.go | 2 +- ...8s.otterize.com_kafkaserverconfigs.patched | 18 ++++++------ .../k8s.otterize.com_kafkaserverconfigs.yaml | 18 ++++++------ .../config/rbac/manifests-patched.yaml | 13 +++++++++ src/operator/config/rbac/role.yaml | 13 +++++++++ .../external_traffic/network_policy.go | 4 +-- .../cloud_reconciler_test.go | 6 ++-- .../intents_reconcilers/kafka_acls_test.go | 2 +- .../controllers/istiopolicy/policy_manager.go | 2 +- .../kafka_server_config_controller_test.go | 4 +-- .../kafka_server_config_reconciler.go | 10 +++---- .../telemetry_reconciler.go | 2 +- .../telemetry_reconciler_test.go | 10 +++---- .../controllers/kafkaacls/intents_admin.go | 10 +++---- .../kafkaacls/intents_admin_test.go | 6 ++-- .../controllers/kafkaacls/servers_store.go | 2 +- .../kafkaserverconfig_controller.go | 2 +- .../default_deny_test.go | 2 +- ...erverconfigs-customresourcedefinition.yaml | 18 ++++++------ .../webhooks/protectedservices_webhook.go | 6 ++-- .../webhooks/protectedservices_webhook_v1.go | 6 ++-- .../protectedservices_webhook_v1alpha3.go | 6 ++-- .../protectedservices_webhook_v2alpha1.go | 6 ++-- src/shared/awsagent/roles.go | 2 +- .../graphqlclient/schema.graphql | 29 ++++++++++++++++--- .../serviceidentity/serviceidentity.go | 2 +- .../telemetries/telemetriesgql/schema.graphql | 29 ++++++++++++++++--- 31 files changed, 160 insertions(+), 92 deletions(-) diff --git a/src/operator/api/v1alpha2/kafkaserverconfig_types.go b/src/operator/api/v1alpha2/kafkaserverconfig_types.go index 70463eb47..d89b7c456 100644 --- a/src/operator/api/v1alpha2/kafkaserverconfig_types.go +++ b/src/operator/api/v1alpha2/kafkaserverconfig_types.go @@ -100,7 +100,7 @@ func (ksc *KafkaServerConfig) ConvertTo(dstRaw conversion.Hub) error { dst.ObjectMeta = ksc.ObjectMeta dst.Spec = v2alpha1.KafkaServerConfigSpec{} dst.Spec.Addr = ksc.Spec.Addr - dst.Spec.Service = v2alpha1.Workload{Name: ksc.Spec.Service.Name} + dst.Spec.Workload = v2alpha1.Workload{Name: ksc.Spec.Service.Name} dst.Spec.NoAutoCreateIntentsForOperator = ksc.Spec.NoAutoCreateIntentsForOperator dst.Spec.TLS = v2alpha1.TLSSource{ CertFile: ksc.Spec.TLS.CertFile, @@ -124,7 +124,7 @@ func (ksc *KafkaServerConfig) ConvertFrom(srcRaw conversion.Hub) error { ksc.ObjectMeta = src.ObjectMeta ksc.Spec = KafkaServerConfigSpec{} ksc.Spec.Addr = src.Spec.Addr - ksc.Spec.Service = Service{Name: src.Spec.Service.Name} + ksc.Spec.Service = Service{Name: src.Spec.Workload.Name} ksc.Spec.NoAutoCreateIntentsForOperator = src.Spec.NoAutoCreateIntentsForOperator ksc.Spec.TLS = TLSSource{ CertFile: src.Spec.TLS.CertFile, diff --git a/src/operator/api/v1alpha3/webhooks.go b/src/operator/api/v1alpha3/webhooks.go index 0aabcf2de..d6e47d76f 100644 --- a/src/operator/api/v1alpha3/webhooks.go +++ b/src/operator/api/v1alpha3/webhooks.go @@ -107,8 +107,8 @@ func (ksc *KafkaServerConfig) ConvertTo(dstRaw conversion.Hub) error { dst := dstRaw.(*v2alpha1.KafkaServerConfig) dst.ObjectMeta = ksc.ObjectMeta // convert each spec attribute - dst.Spec.Service.Name = ksc.Spec.Service.Name - dst.Spec.Service.Kind = ksc.Spec.Service.Kind + dst.Spec.Workload.Name = ksc.Spec.Service.Name + dst.Spec.Workload.Kind = ksc.Spec.Service.Kind dst.Spec.NoAutoCreateIntentsForOperator = ksc.Spec.NoAutoCreateIntentsForOperator dst.Spec.Addr = ksc.Spec.Addr dst.Spec.TLS = v2alpha1.TLSSource{ @@ -130,8 +130,8 @@ func (ksc *KafkaServerConfig) ConvertFrom(srcRaw conversion.Hub) error { src := srcRaw.(*v2alpha1.KafkaServerConfig) ksc.ObjectMeta = src.ObjectMeta // convert each spec attribute - ksc.Spec.Service.Name = src.Spec.Service.Name - ksc.Spec.Service.Kind = src.Spec.Service.Kind + ksc.Spec.Service.Name = src.Spec.Workload.Name + ksc.Spec.Service.Kind = src.Spec.Workload.Kind ksc.Spec.NoAutoCreateIntentsForOperator = src.Spec.NoAutoCreateIntentsForOperator ksc.Spec.Addr = src.Spec.Addr ksc.Spec.TLS = TLSSource{ diff --git a/src/operator/api/v1beta1/webhooks.go b/src/operator/api/v1beta1/webhooks.go index 73d6bf6b1..f3bfccc93 100644 --- a/src/operator/api/v1beta1/webhooks.go +++ b/src/operator/api/v1beta1/webhooks.go @@ -107,8 +107,8 @@ func (ksc *KafkaServerConfig) ConvertTo(dstRaw conversion.Hub) error { dst := dstRaw.(*v2alpha1.KafkaServerConfig) dst.ObjectMeta = ksc.ObjectMeta // convert each spec attribute - dst.Spec.Service.Name = ksc.Spec.Service.Name - dst.Spec.Service.Kind = ksc.Spec.Service.Kind + dst.Spec.Workload.Name = ksc.Spec.Service.Name + dst.Spec.Workload.Kind = ksc.Spec.Service.Kind dst.Spec.NoAutoCreateIntentsForOperator = ksc.Spec.NoAutoCreateIntentsForOperator dst.Spec.Addr = ksc.Spec.Addr dst.Spec.TLS = v2alpha1.TLSSource{ @@ -130,8 +130,8 @@ func (ksc *KafkaServerConfig) ConvertFrom(srcRaw conversion.Hub) error { src := srcRaw.(*v2alpha1.KafkaServerConfig) ksc.ObjectMeta = src.ObjectMeta // convert each spec attribute - ksc.Spec.Service.Name = src.Spec.Service.Name - ksc.Spec.Service.Kind = src.Spec.Service.Kind + ksc.Spec.Service.Name = src.Spec.Workload.Name + ksc.Spec.Service.Kind = src.Spec.Workload.Kind ksc.Spec.NoAutoCreateIntentsForOperator = src.Spec.NoAutoCreateIntentsForOperator ksc.Spec.Addr = src.Spec.Addr ksc.Spec.TLS = TLSSource{ diff --git a/src/operator/api/v2alpha1/kafkaserverconfig_types.go b/src/operator/api/v2alpha1/kafkaserverconfig_types.go index 453dc7001..75a0d4fef 100644 --- a/src/operator/api/v2alpha1/kafkaserverconfig_types.go +++ b/src/operator/api/v2alpha1/kafkaserverconfig_types.go @@ -51,7 +51,7 @@ type KafkaServerConfigSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - Service Workload `json:"service,omitempty" yaml:"service,omitempty"` + Workload Workload `json:"workload,omitempty" yaml:"workload,omitempty"` // If Intents for network policies are enabled, and there are other Intents to this Kafka server, // will automatically create an Target so that the Intents Operator can connect. Set to true to disable. NoAutoCreateIntentsForOperator bool `json:"noAutoCreateIntentsForOperator,omitempty" yaml:"noAutoCreateIntentsForOperator,omitempty"` diff --git a/src/operator/api/v2alpha1/zz_generated.deepcopy.go b/src/operator/api/v2alpha1/zz_generated.deepcopy.go index 5d463e279..fe66dcb09 100644 --- a/src/operator/api/v2alpha1/zz_generated.deepcopy.go +++ b/src/operator/api/v2alpha1/zz_generated.deepcopy.go @@ -389,7 +389,7 @@ func (in *KafkaServerConfigList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KafkaServerConfigSpec) DeepCopyInto(out *KafkaServerConfigSpec) { *out = *in - out.Service = in.Service + out.Workload = in.Workload out.TLS = in.TLS if in.Topics != nil { in, out := &in.Topics, &out.Topics diff --git a/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.patched b/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.patched index 864049764..c6a099b1a 100644 --- a/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.patched +++ b/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.patched @@ -310,15 +310,6 @@ spec: If Intents for network policies are enabled, and there are other Intents to this Kafka server, will automatically create an Target so that the Intents Operator can connect. Set to true to disable. type: boolean - service: - properties: - kind: - type: string - name: - type: string - required: - - name - type: object tls: properties: certFile: @@ -353,6 +344,15 @@ spec: - topic type: object type: array + workload: + properties: + kind: + type: string + name: + type: string + required: + - name + type: object type: object status: description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig diff --git a/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.yaml b/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.yaml index a2a8188a3..80e8aa5ad 100644 --- a/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.yaml +++ b/src/operator/config/crd/k8s.otterize.com_kafkaserverconfigs.yaml @@ -296,15 +296,6 @@ spec: If Intents for network policies are enabled, and there are other Intents to this Kafka server, will automatically create an Target so that the Intents Operator can connect. Set to true to disable. type: boolean - service: - properties: - kind: - type: string - name: - type: string - required: - - name - type: object tls: properties: certFile: @@ -339,6 +330,15 @@ spec: - topic type: object type: array + workload: + properties: + kind: + type: string + name: + type: string + required: + - name + type: object type: object status: description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig diff --git a/src/operator/config/rbac/manifests-patched.yaml b/src/operator/config/rbac/manifests-patched.yaml index 0136570b8..cb04889d8 100644 --- a/src/operator/config/rbac/manifests-patched.yaml +++ b/src/operator/config/rbac/manifests-patched.yaml @@ -253,6 +253,19 @@ rules: - patch - update - watch +- apiGroups: + - policy.linkerd.io + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - security.istio.io resources: diff --git a/src/operator/config/rbac/role.yaml b/src/operator/config/rbac/role.yaml index 4a4924f87..bada3e605 100644 --- a/src/operator/config/rbac/role.yaml +++ b/src/operator/config/rbac/role.yaml @@ -253,6 +253,19 @@ rules: - patch - update - watch +- apiGroups: + - policy.linkerd.io + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - security.istio.io resources: diff --git a/src/operator/controllers/external_traffic/network_policy.go b/src/operator/controllers/external_traffic/network_policy.go index 906d366d8..84837262d 100644 --- a/src/operator/controllers/external_traffic/network_policy.go +++ b/src/operator/controllers/external_traffic/network_policy.go @@ -344,12 +344,12 @@ func (r *NetworkPolicyHandler) handlePod(ctx context.Context, pod *corev1.Pod) e // external traffic policy will be created (if there were no other intents affecting the service before then) or // deleted (if no intents network policies refer to the pods backing the service any longer). // -// When HandleEndpoints is called, and the Service is of type LoadBalancer, NodePort, or is referenced by an Ingress, +// When HandleEndpoints is called, and the Workload is of type LoadBalancer, NodePort, or is referenced by an Ingress, // it checks if the backing pods are affected by Otterize Intents Network Policies. // If so, and the reconciler is enabled, it will create network policies to allow external traffic to those pods. // If the Endpoints (= Services) update port, it will update the port specified in the corresponding network policy. // If the Endpoints no longer refer to pods affected by Intents, then the network policy will be deleted. -// If the Service is deleted completely, then the corresponding network policy will be deleted, since it is owned +// If the Workload is deleted completely, then the corresponding network policy will be deleted, since it is owned // by the service. func (r *NetworkPolicyHandler) HandleEndpoints(ctx context.Context, endpoints *corev1.Endpoints) error { svc := corev1.Service{} diff --git a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go index 0774d756b..62238d657 100644 --- a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go +++ b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go @@ -821,7 +821,7 @@ func (s *CloudReconcilerTestSuite) TestReportKindAndAlias() { cloudIntent, err := intent.ConvertToCloudFormat(context.Background(), s.client, serviceidentity.ServiceIdentity{Name: clientName, Namespace: testNamespace, Kind: "StatefulSet"}) s.Require().NoError(err) s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Deployment") - s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + testNamespace), Kind: lo.ToPtr("Service")}) + s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + testNamespace), Kind: lo.ToPtr("Workload")}) s.Require().Equal(lo.FromPtr(cloudIntent.ClientWorkloadKind), "StatefulSet") } @@ -831,8 +831,8 @@ func (s *CloudReconcilerTestSuite) TestReportTargetKubernetesAPIServiceWithNoSel intent := &otterizev2alpha1.Target{Service: &otterizev2alpha1.ServiceTarget{Name: fmt.Sprint(serverName, ".", serverNamespace)}} cloudIntent, err := intent.ConvertToCloudFormat(context.Background(), s.client, serviceidentity.ServiceIdentity{Name: clientName, Namespace: testNamespace}) s.Require().NoError(err) - s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Service") - s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + serverNamespace), Kind: lo.ToPtr("Service")}) + s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Workload") + s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + serverNamespace), Kind: lo.ToPtr("Workload")}) s.Require().Equal(lo.FromPtr(cloudIntent.ServerNamespace), serverNamespace) s.Require().Equal(lo.FromPtr(cloudIntent.ServerName), serverName) } diff --git a/src/operator/controllers/intents_reconcilers/kafka_acls_test.go b/src/operator/controllers/intents_reconcilers/kafka_acls_test.go index 1652f74cb..3f05c8995 100644 --- a/src/operator/controllers/intents_reconcilers/kafka_acls_test.go +++ b/src/operator/controllers/intents_reconcilers/kafka_acls_test.go @@ -87,7 +87,7 @@ func (s *KafkaACLReconcilerTestSuite) SetupSuite() { func (s *KafkaACLReconcilerTestSuite) setupServerStore(serviceName string) *kafkaacls.ServersStoreImpl { serverConfig := &otterizev2alpha1.KafkaServerConfig{ Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: serviceName, }, Topics: []otterizev2alpha1.TopicConfig{{ diff --git a/src/operator/controllers/istiopolicy/policy_manager.go b/src/operator/controllers/istiopolicy/policy_manager.go index 1b4f91ceb..fdb0259a4 100644 --- a/src/operator/controllers/istiopolicy/policy_manager.go +++ b/src/operator/controllers/istiopolicy/policy_manager.go @@ -321,7 +321,7 @@ func (c *PolicyManagerImpl) updateServiceAccountSharedStatus(ctx context.Context } if isServiceAccountShared { - c.recorder.RecordWarningEventf(updatedIntents, ReasonSharedServiceAccount, "Service account %s is shared and will also grant access to the following clients: %s", serviceAccount, clientsNames) + c.recorder.RecordWarningEventf(updatedIntents, ReasonSharedServiceAccount, "Workload account %s is shared and will also grant access to the following clients: %s", serviceAccount, clientsNames) } } return nil diff --git a/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_controller_test.go b/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_controller_test.go index b9b4dba62..e4cd91909 100644 --- a/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_controller_test.go +++ b/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_controller_test.go @@ -78,7 +78,7 @@ func (s *KafkaServerConfigReconcilerTestSuite) TearDownTest() { func (s *KafkaServerConfigReconcilerTestSuite) setupServerStore(serviceName string) kafkaacls.ServersStore { serverConfig := &otterizev2alpha1.KafkaServerConfig{ Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: serviceName, }, Topics: []otterizev2alpha1.TopicConfig{{ @@ -113,7 +113,7 @@ func (s *KafkaServerConfigReconcilerTestSuite) generateKafkaServerConfig() otter }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ NoAutoCreateIntentsForOperator: true, - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: kafkaServiceName, }, Topics: []otterizev2alpha1.TopicConfig{ diff --git a/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_reconciler.go b/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_reconciler.go index 7620cc7cb..4035d97be 100644 --- a/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_reconciler.go +++ b/src/operator/controllers/kafka_server_config_reconcilers/kafka_server_config_reconciler.go @@ -76,7 +76,7 @@ func (r *KafkaServerConfigReconciler) removeKafkaServerFromStore(kafkaServerConf }, ) - intentsAdmin, err := r.ServersStore.Get(kafkaServerConfig.Spec.Service.Name, kafkaServerConfig.Namespace) + intentsAdmin, err := r.ServersStore.Get(kafkaServerConfig.Spec.Workload.Name, kafkaServerConfig.Namespace) if err != nil && errors.Is(err, kafkaacls.ServerSpecNotFound) { logger.Info("Kafka server not registered to servers store") return nil @@ -92,7 +92,7 @@ func (r *KafkaServerConfigReconciler) removeKafkaServerFromStore(kafkaServerConf } logger.Info("Removing Kafka server from store") - r.ServersStore.Remove(kafkaServerConfig.Spec.Service.Name, kafkaServerConfig.Namespace) + r.ServersStore.Remove(kafkaServerConfig.Spec.Workload.Name, kafkaServerConfig.Namespace) return nil } @@ -154,7 +154,7 @@ func (r *KafkaServerConfigReconciler) createIntentsFromOperatorToKafkaServer(ctx }, Targets: []otterizev2alpha1.Target{{ Kafka: &otterizev2alpha1.KafkaTarget{ - Name: fmt.Sprintf("%s.%s", config.Spec.Service.Name, config.Namespace), + Name: fmt.Sprintf("%s.%s", config.Spec.Workload.Name, config.Namespace), Topics: []otterizev2alpha1.KafkaTopic{{ Name: "*", Operations: []otterizev2alpha1.KafkaOperation{ @@ -230,7 +230,7 @@ func (r *KafkaServerConfigReconciler) reconcileObject(ctx context.Context, kafka r.ServersStore.Add(kafkaServerConfig) - kafkaIntentsAdmin, err := r.ServersStore.Get(kafkaServerConfig.Spec.Service.Name, kafkaServerConfig.Namespace) + kafkaIntentsAdmin, err := r.ServersStore.Get(kafkaServerConfig.Spec.Workload.Name, kafkaServerConfig.Namespace) if err != nil { return ctrl.Result{}, errors.Wrap(err) } @@ -292,7 +292,7 @@ func kafkaServerConfigCRDToCloudModel(kafkaServerConfig otterizev2alpha1.KafkaSe } input := graphqlclient.KafkaServerConfigInput{ - Name: kafkaServerConfig.Spec.Service.Name, + Name: kafkaServerConfig.Spec.Workload.Name, Namespace: kafkaServerConfig.Namespace, Address: kafkaServerConfig.Spec.Addr, Topics: topics, diff --git a/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler.go b/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler.go index 9d648e2d0..5388e10b1 100644 --- a/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler.go +++ b/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler.go @@ -40,7 +40,7 @@ func (r *TelemetryReconciler) Reconcile(ctx context.Context, req reconcile.Reque anonymizedServerName := telemetrysender.Anonymize(fmt.Sprintf("%s/%s", kafkaServerConfig.Namespace, - kafkaServerConfig.Spec.Service.Name, + kafkaServerConfig.Spec.Workload.Name, )) if !kafkaServerConfig.DeletionTimestamp.IsZero() { diff --git a/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler_test.go b/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler_test.go index b0df3dc5a..01078d73e 100644 --- a/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler_test.go +++ b/src/operator/controllers/kafka_server_config_reconcilers/telemetry_reconciler_test.go @@ -45,7 +45,7 @@ func (s *CountReconcilerTestSuite) TestAppliedProtectedServices() { Namespace: testNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: server, }, }, @@ -63,7 +63,7 @@ func (s *CountReconcilerTestSuite) TestAppliedProtectedServices() { Namespace: testNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: anotherServer, }, }, @@ -77,7 +77,7 @@ func (s *CountReconcilerTestSuite) TestAppliedProtectedServices() { Namespace: testNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: server, }, }, @@ -91,7 +91,7 @@ func (s *CountReconcilerTestSuite) TestAppliedProtectedServices() { Namespace: anotherNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: server, }, }, @@ -105,7 +105,7 @@ func (s *CountReconcilerTestSuite) TestAppliedProtectedServices() { Namespace: anotherNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: anotherServer, }, }, diff --git a/src/operator/controllers/kafkaacls/intents_admin.go b/src/operator/controllers/kafkaacls/intents_admin.go index acc3c6cc9..effd40ca7 100644 --- a/src/operator/controllers/kafkaacls/intents_admin.go +++ b/src/operator/controllers/kafkaacls/intents_admin.go @@ -262,7 +262,7 @@ func (a *KafkaIntentsAdminImpl) deleteACLsByPrincipal(principal string) (int, er func (a *KafkaIntentsAdminImpl) logACLs() error { logger := logrus.WithFields( logrus.Fields{ - "serverName": a.kafkaServer.Spec.Service, + "serverName": a.kafkaServer.Spec.Workload, "serverNamespace": a.kafkaServer.Namespace, }) @@ -305,7 +305,7 @@ func (a *KafkaIntentsAdminImpl) ApplyClientIntents(clientName string, clientName logger := logrus.WithFields( logrus.Fields{ "principal": principal, - "serverName": a.kafkaServer.Spec.Service, + "serverName": a.kafkaServer.Spec.Workload, "serverNamespace": a.kafkaServer.Namespace, }) @@ -366,7 +366,7 @@ func (a *KafkaIntentsAdminImpl) RemoveClientIntents(clientName string, clientNam logger := logrus.WithFields( logrus.Fields{ "principal": principal, - "serverName": a.kafkaServer.Spec.Service, + "serverName": a.kafkaServer.Spec.Workload, "serverNamespace": a.kafkaServer.Namespace, }) countDeleted, err := a.deleteACLsByPrincipal(principal) @@ -384,7 +384,7 @@ func (a *KafkaIntentsAdminImpl) RemoveClientIntents(clientName string, clientNam func (a *KafkaIntentsAdminImpl) RemoveServerIntents(topicsConf []otterizev2alpha1.TopicConfig) error { logger := logrus.WithFields( logrus.Fields{ - "serverName": a.kafkaServer.Spec.Service, + "serverName": a.kafkaServer.Spec.Workload, "serverNamespace": a.kafkaServer.Namespace, }) @@ -559,7 +559,7 @@ func (a *KafkaIntentsAdminImpl) deleteResourceAcls(resourceAclsToDelete []*saram func (a *KafkaIntentsAdminImpl) ApplyServerTopicsConf(topicsConf []otterizev2alpha1.TopicConfig) error { logger := logrus.WithFields( logrus.Fields{ - "serverName": a.kafkaServer.Spec.Service, + "serverName": a.kafkaServer.Spec.Workload, "serverNamespace": a.kafkaServer.Namespace, }) diff --git a/src/operator/controllers/kafkaacls/intents_admin_test.go b/src/operator/controllers/kafkaacls/intents_admin_test.go index a90dcae09..e35578c66 100644 --- a/src/operator/controllers/kafkaacls/intents_admin_test.go +++ b/src/operator/controllers/kafkaacls/intents_admin_test.go @@ -40,7 +40,7 @@ func (s *IntentAdminSuite) TestApplyServerConfig() { Namespace: testNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: serverName, }, Addr: serverAddress, @@ -105,7 +105,7 @@ func (s *IntentAdminSuite) TestApplyServerConfigPermissionExists() { Namespace: testNamespace, }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: serverName, }, Addr: serverAddress, @@ -200,7 +200,7 @@ func (s *IntentAdminSuite) TestDeleteServerConfig() { DeletionTimestamp: lo.ToPtr(metav1.Date(2021, 6, 13, 0, 0, 0, 0, time.UTC)), }, Spec: otterizev2alpha1.KafkaServerConfigSpec{ - Service: otterizev2alpha1.Workload{ + Workload: otterizev2alpha1.Workload{ Name: serverName, }, Addr: serverAddress, diff --git a/src/operator/controllers/kafkaacls/servers_store.go b/src/operator/controllers/kafkaacls/servers_store.go index 8432e8051..90077c5dc 100644 --- a/src/operator/controllers/kafkaacls/servers_store.go +++ b/src/operator/controllers/kafkaacls/servers_store.go @@ -37,7 +37,7 @@ func NewServersStore(tlsSourceFiles otterizev2alpha1.TLSSource, enableKafkaACLCr } func (s *ServersStoreImpl) Add(config *otterizev2alpha1.KafkaServerConfig) { - name := types.NamespacedName{Name: config.Spec.Service.Name, Namespace: config.Namespace} + name := types.NamespacedName{Name: config.Spec.Workload.Name, Namespace: config.Namespace} s.serversByName[name] = config } diff --git a/src/operator/controllers/kafkaserverconfig_controller.go b/src/operator/controllers/kafkaserverconfig_controller.go index fb8ff11a9..886a3d75e 100644 --- a/src/operator/controllers/kafkaserverconfig_controller.go +++ b/src/operator/controllers/kafkaserverconfig_controller.go @@ -118,7 +118,7 @@ func (r *KafkaServerConfigReconciler) InitKafkaServerConfigIndices(mgr ctrl.Mana otterizev2alpha1.OtterizeKafkaServerConfigServiceNameField, func(object client.Object) []string { ksc := object.(*otterizev2alpha1.KafkaServerConfig) - return []string{ksc.Spec.Service.Name} + return []string{ksc.Spec.Workload.Name} }) } diff --git a/src/operator/controllers/protected_service_reconcilers/default_deny_test.go b/src/operator/controllers/protected_service_reconcilers/default_deny_test.go index c256cb2c7..17488cffe 100644 --- a/src/operator/controllers/protected_service_reconcilers/default_deny_test.go +++ b/src/operator/controllers/protected_service_reconcilers/default_deny_test.go @@ -161,7 +161,7 @@ func (s *DefaultDenyReconcilerTestSuite) TestProtectedServicesCreate_KindService }, Spec: otterizev2alpha1.ProtectedServiceSpec{ Name: protectedServiceName, - Kind: "Service", + Kind: "Workload", }, }, } diff --git a/src/operator/otterizecrds/kafkaserverconfigs-customresourcedefinition.yaml b/src/operator/otterizecrds/kafkaserverconfigs-customresourcedefinition.yaml index 864049764..c6a099b1a 100644 --- a/src/operator/otterizecrds/kafkaserverconfigs-customresourcedefinition.yaml +++ b/src/operator/otterizecrds/kafkaserverconfigs-customresourcedefinition.yaml @@ -310,15 +310,6 @@ spec: If Intents for network policies are enabled, and there are other Intents to this Kafka server, will automatically create an Target so that the Intents Operator can connect. Set to true to disable. type: boolean - service: - properties: - kind: - type: string - name: - type: string - required: - - name - type: object tls: properties: certFile: @@ -353,6 +344,15 @@ spec: - topic type: object type: array + workload: + properties: + kind: + type: string + name: + type: string + required: + - name + type: object type: object status: description: KafkaServerConfigStatus defines the observed state of KafkaServerConfig diff --git a/src/operator/webhooks/protectedservices_webhook.go b/src/operator/webhooks/protectedservices_webhook.go index 705479a4d..e18404b68 100644 --- a/src/operator/webhooks/protectedservices_webhook.go +++ b/src/operator/webhooks/protectedservices_webhook.go @@ -138,11 +138,11 @@ func (v *ProtectedServiceValidatorV1alpha2) validateNoDuplicateClients( func (v *ProtectedServiceValidatorV1alpha2) validateSpec(protectedService *otterizev1alpha2.ProtectedService) *field.Error { serviceName := strings.ReplaceAll(protectedService.Spec.Name, "-", "") serviceName = strings.ReplaceAll(serviceName, "_", "") - // Validate Service Name contains only lowercase alphanumeric characters - // Service name should be a valid RFC 1123 subdomain name + // Validate Workload Name contains only lowercase alphanumeric characters + // Workload name should be a valid RFC 1123 subdomain name // It's a namespaced resource, we do not expect resources in other namespaces if !govalidator.IsAlphanumeric(serviceName) || !govalidator.IsLowerCase(serviceName) { - message := fmt.Sprintf("Invalid Name: %s. Service name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) + message := fmt.Sprintf("Invalid Name: %s. Workload name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) return &field.Error{ Type: field.ErrorTypeForbidden, Field: "Name", diff --git a/src/operator/webhooks/protectedservices_webhook_v1.go b/src/operator/webhooks/protectedservices_webhook_v1.go index 33823c812..6e50beb9f 100644 --- a/src/operator/webhooks/protectedservices_webhook_v1.go +++ b/src/operator/webhooks/protectedservices_webhook_v1.go @@ -138,11 +138,11 @@ func (v *ProtectedServiceValidatorV1) validateNoDuplicateClients( func (v *ProtectedServiceValidatorV1) validateSpec(protectedService *otterizev1beta1.ProtectedService) *field.Error { serviceName := strings.ReplaceAll(protectedService.Spec.Name, "-", "") serviceName = strings.ReplaceAll(serviceName, "_", "") - // Validate Service Name contains only lowercase alphanumeric characters - // Service name should be a valid RFC 1123 subdomain name + // Validate Workload Name contains only lowercase alphanumeric characters + // Workload name should be a valid RFC 1123 subdomain name // It's a namespaced resource, we do not expect resources in other namespaces if !govalidator.IsAlphanumeric(serviceName) || !govalidator.IsLowerCase(serviceName) { - message := fmt.Sprintf("Invalid Name: %s. Service name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) + message := fmt.Sprintf("Invalid Name: %s. Workload name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) return &field.Error{ Type: field.ErrorTypeForbidden, Field: "Name", diff --git a/src/operator/webhooks/protectedservices_webhook_v1alpha3.go b/src/operator/webhooks/protectedservices_webhook_v1alpha3.go index 9554c3267..300500654 100644 --- a/src/operator/webhooks/protectedservices_webhook_v1alpha3.go +++ b/src/operator/webhooks/protectedservices_webhook_v1alpha3.go @@ -138,11 +138,11 @@ func (v *ProtectedServiceValidatorV1alpha3) validateNoDuplicateClients( func (v *ProtectedServiceValidatorV1alpha3) validateSpec(protectedService *otterizev1alpha3.ProtectedService) *field.Error { serviceName := strings.ReplaceAll(protectedService.Spec.Name, "-", "") serviceName = strings.ReplaceAll(serviceName, "_", "") - // Validate Service Name contains only lowercase alphanumeric characters - // Service name should be a valid RFC 1123 subdomain name + // Validate Workload Name contains only lowercase alphanumeric characters + // Workload name should be a valid RFC 1123 subdomain name // It's a namespaced resource, we do not expect resources in other namespaces if !govalidator.IsAlphanumeric(serviceName) || !govalidator.IsLowerCase(serviceName) { - message := fmt.Sprintf("Invalid Name: %s. Service name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) + message := fmt.Sprintf("Invalid Name: %s. Workload name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) return &field.Error{ Type: field.ErrorTypeForbidden, Field: "Name", diff --git a/src/operator/webhooks/protectedservices_webhook_v2alpha1.go b/src/operator/webhooks/protectedservices_webhook_v2alpha1.go index 8abad4b09..484a9d2f3 100644 --- a/src/operator/webhooks/protectedservices_webhook_v2alpha1.go +++ b/src/operator/webhooks/protectedservices_webhook_v2alpha1.go @@ -138,11 +138,11 @@ func (v *ProtectedServiceValidatorV2alpha1) validateNoDuplicateClients( func (v *ProtectedServiceValidatorV2alpha1) validateSpec(protectedService *otterizev2alpha1.ProtectedService) *field.Error { serviceName := strings.ReplaceAll(protectedService.Spec.Name, "-", "") serviceName = strings.ReplaceAll(serviceName, "_", "") - // Validate Service Name contains only lowercase alphanumeric characters - // Service name should be a valid RFC 1123 subdomain name + // Validate Workload Name contains only lowercase alphanumeric characters + // Workload name should be a valid RFC 1123 subdomain name // It's a namespaced resource, we do not expect resources in other namespaces if !govalidator.IsAlphanumeric(serviceName) || !govalidator.IsLowerCase(serviceName) { - message := fmt.Sprintf("Invalid Name: %s. Service name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) + message := fmt.Sprintf("Invalid Name: %s. Workload name must contain only lowercase alphanumeric characters, '-' or '_'", protectedService.Spec.Name) return &field.Error{ Type: field.ErrorTypeForbidden, Field: "Name", diff --git a/src/shared/awsagent/roles.go b/src/shared/awsagent/roles.go index e9372358e..bd00ea9ba 100644 --- a/src/shared/awsagent/roles.go +++ b/src/shared/awsagent/roles.go @@ -462,7 +462,7 @@ func (a *Agent) generateTrustPolicyForRolesAnywhere(namespaceName, accountName s Effect: iamEffectAllow, Action: []string{"sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity"}, Principal: map[string]string{ - "Service": "rolesanywhere.amazonaws.com", + "Workload": "rolesanywhere.amazonaws.com", }, Condition: map[string]any{ "StringEquals": map[string]string{ diff --git a/src/shared/otterizecloud/graphqlclient/schema.graphql b/src/shared/otterizecloud/graphqlclient/schema.graphql index c015acc7c..7ea52235c 100644 --- a/src/shared/otterizecloud/graphqlclient/schema.graphql +++ b/src/shared/otterizecloud/graphqlclient/schema.graphql @@ -359,6 +359,7 @@ input ClientIntentStatusInput { type ClientIntentsFileRepresentation { fileName: String! + namespacedFileName: String! service: Service! rows: [ClientIntentsRow!]! content: String! @@ -505,6 +506,11 @@ type DashboardData { nonCompliantControls: Fraction! } +type DashboardV2 { + dashboard: DashboardData! + findings: [FindingSummaryV2!]! +} + type DatabaseConfig { dbname: String! table: String! @@ -712,6 +718,8 @@ type FeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean useClientIntentsV2: Boolean + enableFindingsV2: Boolean + useTypedIntentsCTE: Boolean } type Finding { @@ -726,6 +734,7 @@ type Finding { status: FindingStatus! ignoredReason: String type: FindingType! + controlId: RegulationCode! } enum FindingStatus { @@ -768,11 +777,10 @@ type FindingSummaryV2 { validationDescription: String status: FindingStatus! ignoredReason: String - serviceTotalCount: Int! - serviceOpenCount: Int! - clusterTotalCount: Int! - clusterOpenCount: Int! + workloadFindingsStatus: StatusSummary! + clusterFindingStatus: StatusSummary! requirements: [FindingSummaryV2!] + wasOpen: Boolean! } """NEW findings""" @@ -981,6 +989,8 @@ input InputFeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean useClientIntentsV2: Boolean + enableFindingsV2: Boolean + useTypedIntentsCTE: Boolean } """ Findings filter """ @@ -2052,6 +2062,9 @@ type Query { findingSummaryStatusHistory( leafControlIDs: [RegulationCode!]! ): [FindingStatusHistory!]! + dashboardV2( + filter: InputFindingFilter + ): DashboardV2! """List integrations""" integrations( name: String @@ -2453,6 +2466,14 @@ input StackFrame { package: String! } +type StatusSummary { + openCount: Int! + resolvedCount: Int! + ignoredCount: Int! + totalCount: Int! + status: FindingStatus! +} + """The `String`scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.""" scalar String diff --git a/src/shared/serviceidresolver/serviceidentity/serviceidentity.go b/src/shared/serviceidresolver/serviceidentity/serviceidentity.go index 297e3fedc..91c575eaa 100644 --- a/src/shared/serviceidresolver/serviceidentity/serviceidentity.go +++ b/src/shared/serviceidresolver/serviceidentity/serviceidentity.go @@ -22,7 +22,7 @@ type ServiceIdentity struct { OwnerObject client.Object } -const KindService = "Service" +const KindService = "Workload" const KindOtterizeLegacy = "OttrLegacy" func (si ServiceIdentity) GetFormattedOtterizeIdentityWithoutKind() string { diff --git a/src/shared/telemetries/telemetriesgql/schema.graphql b/src/shared/telemetries/telemetriesgql/schema.graphql index c015acc7c..7ea52235c 100644 --- a/src/shared/telemetries/telemetriesgql/schema.graphql +++ b/src/shared/telemetries/telemetriesgql/schema.graphql @@ -359,6 +359,7 @@ input ClientIntentStatusInput { type ClientIntentsFileRepresentation { fileName: String! + namespacedFileName: String! service: Service! rows: [ClientIntentsRow!]! content: String! @@ -505,6 +506,11 @@ type DashboardData { nonCompliantControls: Fraction! } +type DashboardV2 { + dashboard: DashboardData! + findings: [FindingSummaryV2!]! +} + type DatabaseConfig { dbname: String! table: String! @@ -712,6 +718,8 @@ type FeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean useClientIntentsV2: Boolean + enableFindingsV2: Boolean + useTypedIntentsCTE: Boolean } type Finding { @@ -726,6 +734,7 @@ type Finding { status: FindingStatus! ignoredReason: String type: FindingType! + controlId: RegulationCode! } enum FindingStatus { @@ -768,11 +777,10 @@ type FindingSummaryV2 { validationDescription: String status: FindingStatus! ignoredReason: String - serviceTotalCount: Int! - serviceOpenCount: Int! - clusterTotalCount: Int! - clusterOpenCount: Int! + workloadFindingsStatus: StatusSummary! + clusterFindingStatus: StatusSummary! requirements: [FindingSummaryV2!] + wasOpen: Boolean! } """NEW findings""" @@ -981,6 +989,8 @@ input InputFeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean useClientIntentsV2: Boolean + enableFindingsV2: Boolean + useTypedIntentsCTE: Boolean } """ Findings filter """ @@ -2052,6 +2062,9 @@ type Query { findingSummaryStatusHistory( leafControlIDs: [RegulationCode!]! ): [FindingStatusHistory!]! + dashboardV2( + filter: InputFindingFilter + ): DashboardV2! """List integrations""" integrations( name: String @@ -2453,6 +2466,14 @@ input StackFrame { package: String! } +type StatusSummary { + openCount: Int! + resolvedCount: Int! + ignoredCount: Int! + totalCount: Int! + status: FindingStatus! +} + """The `String`scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.""" scalar String From d7996dd3a9c9a0e3de812ccad3dc602bc6fe7b55 Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 9 Jan 2025 14:46:48 +0200 Subject: [PATCH 2/3] fixup --- helm-charts | 2 +- .../controllers/intents_reconcilers/cloud_reconciler_test.go | 4 ++-- src/operator/controllers/istiopolicy/policy_manager.go | 2 +- src/shared/awsagent/roles.go | 2 +- .../serviceidresolver/serviceidentity/serviceidentity.go | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm-charts b/helm-charts index 436a69396..721c2e665 160000 --- a/helm-charts +++ b/helm-charts @@ -1 +1 @@ -Subproject commit 436a69396c6f14cab617b128bd04001eac5311ad +Subproject commit 721c2e665bc29fb54f2728d2a8c5db0c636f0900 diff --git a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go index 62238d657..f9b096be4 100644 --- a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go +++ b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go @@ -821,7 +821,7 @@ func (s *CloudReconcilerTestSuite) TestReportKindAndAlias() { cloudIntent, err := intent.ConvertToCloudFormat(context.Background(), s.client, serviceidentity.ServiceIdentity{Name: clientName, Namespace: testNamespace, Kind: "StatefulSet"}) s.Require().NoError(err) s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Deployment") - s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + testNamespace), Kind: lo.ToPtr("Workload")}) + s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + testNamespace), Kind: lo.ToPtr("Service")}) s.Require().Equal(lo.FromPtr(cloudIntent.ClientWorkloadKind), "StatefulSet") } @@ -832,7 +832,7 @@ func (s *CloudReconcilerTestSuite) TestReportTargetKubernetesAPIServiceWithNoSel cloudIntent, err := intent.ConvertToCloudFormat(context.Background(), s.client, serviceidentity.ServiceIdentity{Name: clientName, Namespace: testNamespace}) s.Require().NoError(err) s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Workload") - s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + serverNamespace), Kind: lo.ToPtr("Workload")}) + s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + serverNamespace), Kind: lo.ToPtr("Service")}) s.Require().Equal(lo.FromPtr(cloudIntent.ServerNamespace), serverNamespace) s.Require().Equal(lo.FromPtr(cloudIntent.ServerName), serverName) } diff --git a/src/operator/controllers/istiopolicy/policy_manager.go b/src/operator/controllers/istiopolicy/policy_manager.go index fdb0259a4..1b4f91ceb 100644 --- a/src/operator/controllers/istiopolicy/policy_manager.go +++ b/src/operator/controllers/istiopolicy/policy_manager.go @@ -321,7 +321,7 @@ func (c *PolicyManagerImpl) updateServiceAccountSharedStatus(ctx context.Context } if isServiceAccountShared { - c.recorder.RecordWarningEventf(updatedIntents, ReasonSharedServiceAccount, "Workload account %s is shared and will also grant access to the following clients: %s", serviceAccount, clientsNames) + c.recorder.RecordWarningEventf(updatedIntents, ReasonSharedServiceAccount, "Service account %s is shared and will also grant access to the following clients: %s", serviceAccount, clientsNames) } } return nil diff --git a/src/shared/awsagent/roles.go b/src/shared/awsagent/roles.go index bd00ea9ba..e9372358e 100644 --- a/src/shared/awsagent/roles.go +++ b/src/shared/awsagent/roles.go @@ -462,7 +462,7 @@ func (a *Agent) generateTrustPolicyForRolesAnywhere(namespaceName, accountName s Effect: iamEffectAllow, Action: []string{"sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity"}, Principal: map[string]string{ - "Workload": "rolesanywhere.amazonaws.com", + "Service": "rolesanywhere.amazonaws.com", }, Condition: map[string]any{ "StringEquals": map[string]string{ diff --git a/src/shared/serviceidresolver/serviceidentity/serviceidentity.go b/src/shared/serviceidresolver/serviceidentity/serviceidentity.go index 91c575eaa..297e3fedc 100644 --- a/src/shared/serviceidresolver/serviceidentity/serviceidentity.go +++ b/src/shared/serviceidresolver/serviceidentity/serviceidentity.go @@ -22,7 +22,7 @@ type ServiceIdentity struct { OwnerObject client.Object } -const KindService = "Workload" +const KindService = "Service" const KindOtterizeLegacy = "OttrLegacy" func (si ServiceIdentity) GetFormattedOtterizeIdentityWithoutKind() string { From b341117ae89569e7837e2dcd6b672b25f50830ef Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Thu, 9 Jan 2025 15:07:55 +0200 Subject: [PATCH 3/3] fixup --- .../controllers/intents_reconcilers/cloud_reconciler_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go index f9b096be4..0774d756b 100644 --- a/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go +++ b/src/operator/controllers/intents_reconcilers/cloud_reconciler_test.go @@ -831,7 +831,7 @@ func (s *CloudReconcilerTestSuite) TestReportTargetKubernetesAPIServiceWithNoSel intent := &otterizev2alpha1.Target{Service: &otterizev2alpha1.ServiceTarget{Name: fmt.Sprint(serverName, ".", serverNamespace)}} cloudIntent, err := intent.ConvertToCloudFormat(context.Background(), s.client, serviceidentity.ServiceIdentity{Name: clientName, Namespace: testNamespace}) s.Require().NoError(err) - s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Workload") + s.Require().Equal(lo.FromPtr(cloudIntent.ServerWorkloadKind), "Service") s.Require().Equal(lo.FromPtr(cloudIntent.ServerAlias), graphqlclient.ServerAliasInput{Name: lo.ToPtr(serverName + "." + serverNamespace), Kind: lo.ToPtr("Service")}) s.Require().Equal(lo.FromPtr(cloudIntent.ServerNamespace), serverNamespace) s.Require().Equal(lo.FromPtr(cloudIntent.ServerName), serverName)