adyanth · adyanth · Dec 15, 2022 · Dec 19, 2022 · Apr 10, 2023
diff --git a/PROJECT b/PROJECT
@@ -30,4 +30,13 @@ resources:
   kind: ClusterTunnel
   path: github.com/adyanth/cloudflare-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: cfargotunnel.com
+  group: networking
+  kind: AccessService
+  path: github.com/adyanth/cloudflare-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/api/v1alpha1/accessservice_types.go b/api/v1alpha1/accessservice_types.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AccessServiceSpec defines the desired state of AccessService
+type AccessServiceSpec struct {
+	// FQDN to connect to for the TCP tunnel
+	//+kubebuilder:validation:Required
+	Hostname string `json:"hostname"`
+
+	// Protocol defines the protocol to use, only TCP for now, default
+	//+kubebuilder:validation:Enum:="tcp";"udp"
+	//+kubebuilder:default="tcp"
+	Protocol string `json:"protocol"`
+
+	// Port defines the port for the service to listen on
+	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Maximum:=65535
+	Port int32 `json:"port"`
+
+	// ServiceName defines the name of the service for this port to be exposed on
+	//+kubebuilder:validation:Required
+	ServiceName string `json:"serviceName"`
+
+	// Replicas defines the number of cloudflared access replicas to run
+	Replicas int32 `json:"replicas"`
+}
+
+// AccessServiceStatus defines the observed state of AccessService
+type AccessServiceStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// AccessService is the Schema for the accessservices API
+type AccessService struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AccessServiceSpec   `json:"spec,omitempty"`
+	Status AccessServiceStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AccessServiceList contains a list of AccessService
+type AccessServiceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AccessService `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&AccessService{}, &AccessServiceList{})
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/networking.cfargotunnel.com_accessservices.yaml b/config/crd/bases/networking.cfargotunnel.com_accessservices.yaml
@@ -0,0 +1,85 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: accessservices.networking.cfargotunnel.com
+spec:
+  group: networking.cfargotunnel.com
+  names:
+    kind: AccessService
+    listKind: AccessServiceList
+    plural: accessservices
+    singular: accessservice
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AccessService is the Schema for the accessservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AccessServiceSpec defines the desired state of AccessService
+            properties:
+              hostname:
+                description: FQDN to connect to for the TCP tunnel
+                type: string
+              port:
+                description: Port defines the port for the service to listen on
+                format: int32
+                maximum: 65535
+                minimum: 1
+                type: integer
+              protocol:
+                default: tcp
+                description: Protocol defines the protocol to use, only TCP for now,
+                  default
+                enum:
+                - tcp
+                - udp
+                type: string
+              replicas:
+                description: Replicas defines the number of cloudflared access replicas
+                  to run
+                format: int32
+                type: integer
+              serviceName:
+                description: ServiceName defines the name of the service for this
+                  port to be exposed on
+                type: string
+            required:
+            - hostname
+            - port
+            - protocol
+            - replicas
+            - serviceName
+            type: object
+          status:
+            description: AccessServiceStatus defines the observed state of AccessService
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
 - bases/networking.cfargotunnel.com_tunnels.yaml
 - bases/networking.cfargotunnel.com_clustertunnels.yaml
 - bases/networking.cfargotunnel.com_tunnelbindings.yaml
+- bases/networking.cfargotunnel.com_accessservices.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -13,13 +14,15 @@ patchesStrategicMerge:
 #- patches/webhook_in_tunnels.yaml
 #- patches/webhook_in_clustertunnels.yaml
 #- patches/webhook_in_tunnelbindings.yaml
+#- patches/webhook_in_accessservices.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_tunnels.yaml
 #- patches/cainjection_in_clustertunnels.yaml
 #- patches/cainjection_in_tunnelbindings.yaml
+#- patches/cainjection_in_accessservices.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_accessservices.yaml b/config/crd/patches/cainjection_in_accessservices.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: accessservices.networking.cfargotunnel.com
diff --git a/config/crd/patches/webhook_in_accessservices.yaml b/config/crd/patches/webhook_in_accessservices.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: accessservices.networking.cfargotunnel.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1
diff --git a/config/rbac/accessservice_editor_role.yaml b/config/rbac/accessservice_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit accessservices.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: accessservice-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: cloudflare-operator
+    app.kubernetes.io/part-of: cloudflare-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: accessservice-editor-role
+rules:
+- apiGroups:
+  - networking.cfargotunnel.com
+  resources:
+  - accessservices
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - networking.cfargotunnel.com
+  resources:
+  - accessservices/status
+  verbs:
+  - get
diff --git a/config/rbac/accessservice_viewer_role.yaml b/config/rbac/accessservice_viewer_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to view accessservices.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: accessservice-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: cloudflare-operator
+    app.kubernetes.io/part-of: cloudflare-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: accessservice-viewer-role
+rules:
+- apiGroups:
+  - networking.cfargotunnel.com
+  resources:
+  - accessservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.cfargotunnel.com
+  resources:
+  - accessservices/status
+  verbs:
+  - get