Implemented support for TLS and ServerCA handling for cloudmemorystore #513
Conversation
There was a problem hiding this comment.
Code change looks good to me.
Hey @Feggah and @hasheddan
Is there anything more than approval required here?
|
Hey @Feggah |
You need to follow the new member process to be added to the Crossplane organization. Here is an example of when I was added as maintainer. I'm unsure if the process is exactly the same because this repository was under the crossplane organization at that time. As it's in crossplane-contrib now, maybe @jbw976 could help to understand if the process is different for community providers today 🙂 |
|
Thanks, I thought something was missing. I'll go ahead and create the issue as described in that doc, operating under the assumption that the process hasn't changed. |
|
I just took a look into this and found a couple issues:
|
|
Thanks @jbw976 ! Hey @andrewj-a42 Please review the lint and check-diff failures. |
|
Thanks @dee0sap for the note on check-diff. I have just addressed those lint problems and locally it is clean now. |
|
Hey @hasheddan and @Feggah This all looks good to me but as this would be my first merge I want to give you guys the chance to double check things before I push the button. So I'll let this set for a day. |
There was a problem hiding this comment.
Thanks for the PR! I added some comments mainly to emphasize our "code guidelines" for providers.
Other than that, not specifically to this PR, but a general tip that is important IMHO: I would recommend always striving for test cases where the want and args structs have the resource.Managed field.
This is important to test that the main functions (Observe, Create, Update) are modifying the Managed Resource structure as expected.
For example, check the test cases for the CloudSQL:
provider-gcp/pkg/controller/database/cloudsql_test.go
Lines 151 to 158 in 8760d8c
With this structure, we can validate that the expected modifications to the Managed Resource are happening. Test case example:
Note that the returned spec from the GCP API has
BackupConfigurationStartTimeset. On the Managed Resource side, it didn't have this field set. So we could validate that if the API returned the fieldBackupConfigurationStartTimeand it wasn't set on the MR, it would be late-initialized.
| // +optional | ||
| TransitEncryptionMode string `json:"transitEncryptionMode,omitempty"` |
There was a problem hiding this comment.
We have a guideline to use pointers for optional fields in the Parameters struct. So this field should be:
| // +optional | |
| TransitEncryptionMode string `json:"transitEncryptionMode,omitempty"` | |
| // +optional | |
| TransitEncryptionMode *string `json:"transitEncryptionMode,omitempty"` |
| // Cert is the certificate in the PEM format. | ||
| Cert string `json:"cert,omitempty"` | ||
|
|
||
| // CreateTime: Output only. The time when the certificate was created in | ||
| // RFC 3339 (https://tools.ietf.org/html/rfc3339) format, for example | ||
| // `2020-05-18T00:00:00.094Z`. | ||
| CreateTime string `json:"createTime,omitempty"` | ||
|
|
||
| // ExpireTime: Output only. The time when the certificate expires in RFC | ||
| // 3339 (https://tools.ietf.org/html/rfc3339) format, for example | ||
| // `2020-05-18T00:00:00.094Z`. | ||
| ExpireTime string `json:"expireTime,omitempty"` | ||
|
|
||
| // SerialNumber: Serial number, as extracted from the certificate. | ||
| SerialNumber string `json:"serialNumber,omitempty"` | ||
|
|
||
| // Sha1Fingerprint: Sha1 Fingerprint of the certificate. | ||
| Sha1Fingerprint string `json:"sha1Fingerprint,omitempty"` |
There was a problem hiding this comment.
Just a comment here to clarify the difference between the
Parametersstruct:
Setting omitempty and non-pointer fields in the Observation struct is correct 👍🏼
| // ServerCaCerts: Output only. List of server CA certificates for the | ||
| // instance. | ||
| ServerCaCerts []*ServerCACertsObservation `json:"serverCaCerts,omitempty"` |
There was a problem hiding this comment.
Generally, we don't use pointers in the Observation struct. If there isn't a specific reason for it, I would recommend changing to:
| // ServerCaCerts: Output only. List of server CA certificates for the | |
| // instance. | |
| ServerCaCerts []*ServerCACertsObservation `json:"serverCaCerts,omitempty"` | |
| // ServerCaCerts: Output only. List of server CA certificates for the | |
| // instance. | |
| ServerCaCerts []ServerCACertsObservation `json:"serverCaCerts,omitempty"` |
Signed-off-by: Andrew Jakubowski <[email protected]>
|
I just applied the above suggestions related to usage of pointers. |
|
Thanks much @Feggah ! |
|
Oh, a question @Feggah How and when are releases done? I just searched the markdown in this repo and didn't find any statement about that. FYI over in provider-aws there is a statement that they do a release every month. That's not the exact wording, but that is the gist. |
We don't have an official definition of that for this provider. We kind of did releases as the necessity arose. Feel free to suggest a frequency or release version as needed 🙂 |
|
Thanks @Feggah My teammates and I will discuss next week some time and then reach out to you. |
Description of your changes
The change is adding support for enabling 'SERVER_AUTHENTICATION' for the TransitEncryptionMode.
The code is setting the value of TransitEncryptionMode field for gcp client and is observing serverCACerts field.
As soon as the instance is provisioned and CA is generated it is added to the managed resource to the atProvider section.
Fixes #
I have:
make reviewable testto ensure this PR is ready for review.How has this code been tested
This code was tested by building a fresh image and deploying it to a dev cluster with crossplane pod up and running.
Successful cloudMemoryStore provisioning was performed and with TransitEncryptionMode field set to 'SERVER_AUTHENTICATION' value, the redis provisioning process generated server CA certificate which became part of 'atProvider' section of the managed resource.