✨ You can now enable delta bundles (#328)

Delta bundles can be set per system and on controller level
Bankdata · Aug 5, 2024 · cc2a6bd · cc2a6bd
1 parent e2e43c8
commit cc2a6bd
Show file tree

Hide file tree

Showing 17 changed files with 474 additions and 94 deletions.
diff --git a/api/config/v2alpha2/projectconfig_types.go b/api/config/v2alpha2/projectconfig_types.go
@@ -38,9 +38,12 @@ type ProjectConfig struct {
 	// protection if it is not set on the resource.
 	DeletionProtectionDefault bool `json:"deletionProtectionDefault"`
 
-	// ReadOnly sets the default values of ReadOnly for systems
+	// ReadOnly sets the value of ReadOnly for systems
 	ReadOnly bool `json:"readOnly"`
 
+	// EnableDeltaBundlesDefault sets the default of whether systems have delta-bundles or not
+	EnableDeltaBundlesDefault *bool `json:"enableDeltaBundlesDefault,omitempty"`
+
 	// DisableCRDWebhooks disables the CRD webhooks on the controller. If running
 	// multiple controllers in the same cluster, only one will need to have it's
 	// webhooks enabled.

diff --git a/api/config/v2alpha2/zz_generated.deepcopy.go b/api/config/v2alpha2/zz_generated.deepcopy.go
diff --git a/api/styra/v1beta1/system_types.go b/api/styra/v1beta1/system_types.go
@@ -29,6 +29,9 @@ type SystemSpec struct {
 	// System resource is deleted.
 	DeletionProtection *bool `json:"deletionProtection,omitempty"`
 
+	// EnableDeltaBundles decides whether DeltaBundles are enabled
+	EnableDeltaBundles *bool `json:"enableDeltaBundles,omitempty"`
+
 	// Subjects is the list of subjects which should have access to the system.
 	Subjects []Subject `json:"subjects,omitempty"`
 

diff --git a/api/styra/v1beta1/zz_generated.deepcopy.go b/api/styra/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/styra.bankdata.dk_systems.yaml b/config/crd/bases/styra.bankdata.dk_systems.yaml
@@ -198,6 +198,9 @@ spec:
                 required:
                 - status
                 type: object
+              enableDeltaBundles:
+                description: EnableDeltaBundles decides whether DeltaBundles are enabled
+                type: boolean
               localPlane:
                 description: |-
                   LocalPlane specifies how the Styra Local Plane should be configured. This is

diff --git a/config/default/config.yaml b/config/default/config.yaml
@@ -1,24 +1,25 @@
 apiVersion: config.bankdata.dk/v2alpha2
 kind: ProjectConfig
 #controllerClass:
-#deletionProtectionDefault:
+deletionProtectionDefault: false
 #disableCRDWebhooks:
 readOnly: true
 enableMigrations: false
+enableDeltaBundlesDefault: false # This does affect the thingy
 #gitCredentials:
 logLevel: 0
-leaderElection:
-  leaseDuration: "60s"
-  renewDeadline: "30s"
-  retryPeriod: "5s"
-notificationWebhooks:
-  systemDatasourceChanged: google.com
-  libraryDatasourceChanged: test.dk
+# leaderElection:
+#   leaseDuration: "60s"
+#   renewDeadline: "30s"
+#   retryPeriod: "5s"
+notificationWebhooks: {}
+  # systemDatasourceChanged: google.com
+  # libraryDatasourceChanged: test.dk
 #sentry:
 #sso:
 styra:
-  address: http://127.0.0.1:8080
-  token: token
+  address: styra-url.example.com
+  token: styra-token
 #  tokenSecretPath: /etc/styra-controller-token/styra_token
 #systemPrefix:
 #systemSuffix:

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: controller
-  newTag: latest
+  newTag: latest
diff --git a/config/samples/config_v2alpha2_projectconfig.yaml b/config/samples/config_v2alpha2_projectconfig.yaml
@@ -19,6 +19,9 @@ disableCRDWebhooks: false
 # disabled unless migrations need to be done.
 enableMigrations: false
 
+# enableDeltaBundlesDefault sets the default to use with regards to delta
+enableDeltaBundlesDefault: false
+
 # gitCredentials holds a list of git credential configurations. The repoPrefix
 # of the git credential will be matched angainst repository URL in order to
 # determine which credential to use. The git credential with the longest
@@ -78,3 +81,5 @@ systemSuffix: ""
 systemUserRoles: []
 # - SystemViewer
 # - SystemInstall
+
+readOnly: true
diff --git a/config/samples/styra_v1beta1_system.yaml b/config/samples/styra_v1beta1_system.yaml
@@ -9,4 +9,13 @@ metadata:
     app.kubernetes.io/created-by: styra-controller
   name: system-sample
 spec:
+  decisionMappings:
+    - allowed:
+        expected:
+          boolean: true
+        path: result.allowed
+      name: api/authz/decision
+      reason:
+        path: result.reasons
+
   # TODO(user): Add fields here
diff --git a/docs/apis/styra/v1alpha1.md b/docs/apis/styra/v1alpha1.md
@@ -864,5 +864,5 @@ GitRepo
 <hr/>
 <p><em>
 Generated with <code>gen-crd-api-reference-docs</code>
-on git commit <code>481d857</code>.
+on git commit <code>0db4900</code>.
 </em></p>
diff --git a/docs/apis/styra/v1beta1.md b/docs/apis/styra/v1beta1.md
@@ -858,6 +858,17 @@ System resource is deleted.</p>
 </tr>
 <tr>
 <td>
+<code>enableDeltaBundles</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>EnableDeltaBundles decides whether DeltaBundles are enabled</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>subjects</code><br/>
 <em>
 <a href="#styra.bankdata.dk/v1beta1.Subject">
@@ -1012,6 +1023,17 @@ System resource is deleted.</p>
 </tr>
 <tr>
 <td>
+<code>enableDeltaBundles</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>EnableDeltaBundles decides whether DeltaBundles are enabled</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>subjects</code><br/>
 <em>
 <a href="#styra.bankdata.dk/v1beta1.Subject">
@@ -1172,5 +1194,5 @@ System.</p>
 <hr/>
 <p><em>
 Generated with <code>gen-crd-api-reference-docs</code>
-on git commit <code>481d857</code>.
+on git commit <code>0db4900</code>.
 </em></p>
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -3,6 +3,7 @@ This document describes the different configuration options for the Styra Contro
 
 * `controllerClass`         
 * `deletionProtectionDefault`
+* `enableDeltaBundlesDefault`
 * `readOnly`
 * `disableCRDWebhooks`
 * `enableMigrations`
@@ -93,7 +94,12 @@ Only one controller per cluster should have webhooks (default and validating) en
 The controller can be configured to add a prefix and a suffix to the Systems names when created in Styra. This is achieved by setting `systemPrefix` and `systemSuffix`. 
 
 ## Delete Protection
-Custom Resources can have delete protection, means that they will not be deleted by the controller in Styra. The default can be configured by setting `deletionProtectionDefault`.
+Custom Resources can have delete protection, which means that they will not be deleted by the controller in Styra. The default can be configured by setting `deletionProtectionDefault`.
+
+## Delta Bundles
+Styra Systems can have enable Delta Bundles, which means Styra will upload the change between two bundles to the SLP/OPA rather than uploading the entire bundle. 
+The default can be configured by setting `enableDeltaBundlesDefault`.
+This is recommended to be set to true if all opas are version 0.44.0 or higher.
 
 ## Read Only
 Styra Systems can be read-only, meaning they cannot be changed in the Styra GUI. This can be configured by setting `readOnly`.

diff --git a/docs/design.md b/docs/design.md
@@ -39,6 +39,7 @@ spec:
       reason:
         path: result.reasons
   deletionProtection: true
+  enableDeltaBundles: true
   localPlane:
     name: styra-local-plane-example
   sourceControl:

diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
@@ -412,6 +412,9 @@ func (r *SystemReconciler) createSystem(
 	// created the git secret yet.
 	cfg.SourceControl = nil
 
+	// Styra does not seem to allow setting deltaBundles before the system is created
+	cfg.BundleDownload = nil
+
 	if log.V(1).Enabled() {
 		log := log.V(1)
 		bs, err := json.Marshal(cfg)
@@ -440,6 +443,7 @@ func (r *SystemReconciler) reconcileCredentials(
 	log.Info("Reconciling credentials")
 
 	if system.Spec.SourceControl == nil {
+		log.Info("No source control settings defined. Skipping credentials reconciliation")
 		return ctrl.Result{}, nil
 	}
 
@@ -453,6 +457,7 @@ func (r *SystemReconciler) reconcileCredentials(
 		}
 		username = gitCredential.User
 		password = gitCredential.Password
+
 	} else {
 		secretName := system.Spec.SourceControl.Origin.CredentialsSecretName
 		nsName := types.NamespacedName{
@@ -1055,7 +1060,6 @@ func (r *SystemReconciler) updateSystem(
 	system *v1beta1.System,
 ) (*styra.SystemConfig, error) {
 	log.Info("Updating system")
-
 	cfg := r.specToSystemConfig(system)
 
 	if log.V(1).Enabled() {
@@ -1090,6 +1094,18 @@ func (r *SystemReconciler) specToSystemConfig(system *v1beta1.System) *styra.Sys
 		ReadOnly: r.Config.ReadOnly,
 	}
 
+	enableDeltaBundles := true
+	if r.Config.EnableDeltaBundlesDefault != nil {
+		enableDeltaBundles = *r.Config.EnableDeltaBundlesDefault
+	}
+	if system.Spec.EnableDeltaBundles != nil {
+		enableDeltaBundles = *system.Spec.EnableDeltaBundles
+	}
+
+	cfg.BundleDownload = &styra.BundleDownloadConfig{
+		DeltaBundles: enableDeltaBundles,
+	}
+
 	if len(system.Spec.DecisionMappings) > 0 {
 		cfg.DecisionMappings = map[string]styra.DecisionMapping{}
 		for _, dm := range system.Spec.DecisionMappings {
@@ -1162,6 +1178,12 @@ func (r *SystemReconciler) systemNeedsUpdate(log logr.Logger, system *v1beta1.Sy
 	}
 
 	expectedModel := r.specToSystemConfig(system)
+
+	if cfg.BundleDownload == nil || cfg.BundleDownload.DeltaBundles != expectedModel.BundleDownload.DeltaBundles {
+		log.Info("System needs update: Deltabundle setting not equal")
+		return true
+	}
+
 	if !reflect.DeepEqual(expectedModel.SourceControl, cfg.SourceControl) {
 		log.Info("System needs update: source control is not equal")
 		return true
@@ -1178,7 +1200,6 @@ func (r *SystemReconciler) systemNeedsUpdate(log logr.Logger, system *v1beta1.Sy
 		log.Info("System needs update: decision mappings are not equal")
 		return true
 	}
-
 	return false
 }
 

diff --git a/pkg/styra/systems.go b/pkg/styra/systems.go
@@ -83,6 +83,7 @@ type SystemConfig struct {
 	Name                 string                     `json:"name"`
 	ReadOnly             bool                       `json:"read_only"`
 	SourceControl        *SourceControlConfig       `json:"source_control,omitempty"`
+	BundleDownload       *BundleDownloadConfig      `json:"bundle_download,omitempty"`
 	Type                 string                     `json:"type"`
 	ID                   string                     `json:"id"`
 	Datasources          []*DatasourceConfig        `json:"datasources,omitempty"`
@@ -100,6 +101,11 @@ type SourceControlConfig struct {
 	Origin GitRepoConfig `json:"origin"`
 }
 
+// BundleDownloadConfig defines the structure of a bundle deployment configuration.
+type BundleDownloadConfig struct {
+	DeltaBundles bool `json:"delta_bundles"`
+}
+
 // GitRepoConfig defines the structure of a git repo configuration.
 type GitRepoConfig struct {
 	Commit      string `json:"commit"`

diff --git a/test/integration/controller/controller_suite_test.go b/test/integration/controller/controller_suite_test.go
@@ -39,6 +39,7 @@ import (
 	styrav1beta1 "github.com/bankdata/styra-controller/api/styra/v1beta1"
 	styractrls "github.com/bankdata/styra-controller/internal/controller/styra"
 	webhookmocks "github.com/bankdata/styra-controller/internal/webhook/mocks"
+	"github.com/bankdata/styra-controller/pkg/ptr"
 	"github.com/bankdata/styra-controller/pkg/styra"
 	styraclientmock "github.com/bankdata/styra-controller/pkg/styra/mocks"
 	//+kubebuilder:scaffold:imports
@@ -109,7 +110,6 @@ var _ = ginkgo.BeforeSuite(func() {
 
 	styraClientMock = &styraclientmock.ClientInterface{}
 	webhookMock = &webhookmocks.Client{}
-
 	systemReconciler := styractrls.SystemReconciler{
 		Client:        k8sClient,
 		Scheme:        k8sManager.GetScheme(),
@@ -122,7 +122,8 @@ var _ = ginkgo.BeforeSuite(func() {
 				IdentityProvider: "AzureAD Bankdata",
 				JWTGroupsClaim:   "groups",
 			},
-			ReadOnly: true,
+			ReadOnly:                  true,
+			EnableDeltaBundlesDefault: ptr.Bool(false),
 		},
 	}