[Fixes #195] Adding vendors support #275
Conversation
scotwells
left a comment
scotwells
left a comment
There was a problem hiding this comment.
We should introduce a new API group for vendors since it's separate from generic resource management. Overall looking good, just a few comments / recommendations.
pkg/apis/resourcemanager/v1alpha1/corporationtypeconfig_types.go
Outdated
Show resolved
Hide resolved
pkg/apis/resourcemanager/v1alpha1/corporationtypeconfig_types.go
Outdated
Show resolved
Hide resolved
|
@scotwells wanna give it another round? |
|
@JoseSzycho wanna take a look? |
## ✨ Autofixed 1 outdated doc(s) This pull was automatically generated by Joggr to fix 1 outdated doc(s) due to code changes in pull #275 ### Fixed docs The following docs were fixed: - `docs/api/resourcemanager.md`: Vendor-related CRDs and APIs have moved from resourcemanager.miloapis.com to a new vendors.miloapis.com API group, so the documentation here needed to make this explicitly clear and refer users to the new vendor API documentation for those types. ### How to fix To fix the docs, you can either: 1. Merge this pull request into your pull request to fix the docs 2. Wait for your pull request to be merged and then merge this pull request into your base branch --- Powered by [Joggr](https://joggr.ai?utm_source=gh&utm_medium=gh&utm_campaign=ghapr&utm_id=ghapr) - The documentation assistant for your codebase.
## ✨ Autofixed 1 outdated doc(s) This pull was automatically generated by Joggr to fix 1 outdated doc(s) due to code changes in pull #275 ### Fixed docs The following docs were fixed: - `docs/api/infrastructure.md`: The documentation was outdated because it documented 'Vendor' and 'CorporationTypeConfig' in the 'resourcemanager.miloapis.com/v1alpha1' API group, but these resources have been completely moved and restructured in the new 'vendors.miloapis.com/v1alpha1' group with a new design. All references to them in this doc must be deleted. ### How to fix To fix the docs, you can either: 1. Merge this pull request into your pull request to fix the docs 2. Wait for your pull request to be merged and then merge this pull request into your base branch --- Powered by [Joggr](https://joggr.ai?utm_source=gh&utm_medium=gh&utm_campaign=ghapr&utm_id=ghapr) - The documentation assistant for your codebase.
There was a problem hiding this comment.
We should use the task generate command to generate documentation based on the API types instead of manually modifying these files.
docs/api/resourcemanager.md
Outdated
| **Important:** | ||
|
|
||
| > As of this release, all vendor-related resources—including Vendor, VendorTypeDefinition, VendorVerification, and CorporationTypeConfig—have been moved from the `resourcemanager.miloapis.com/v1alpha1` API group to the new `vendors.miloapis.com/v1alpha1` API group. | ||
| > | ||
| > This document *only* covers resource types that remain in the `resourcemanager.miloapis.com/v1alpha1` API group (such as Organization, OrganizationMembership, and Project). | ||
| > | ||
| > For vendor management and vendor type APIs, see the [vendors.miloapis.com API documentation](./vendors-api-group.md). | ||
There was a problem hiding this comment.
I'm confused by this section of the documentation. Was this something that AI added after moving the vendors stuff to a new API type? This document is automatically generated by task generate.
| func GetTaxIdFromSecret(ctx context.Context, c client.Client, vendor *Vendor, taxIdRef TaxIdReference) (string, error) { | ||
| // Determine the namespace for the Secret | ||
| namespace := taxIdRef.Namespace | ||
| if namespace == "" { | ||
| namespace = vendor.Namespace | ||
| if namespace == "" { | ||
| namespace = "default" // fallback for cluster-scoped resources | ||
| } | ||
| } | ||
|
|
||
| // Get the Secret | ||
| secret := &corev1.Secret{} | ||
| secretKey := types.NamespacedName{ | ||
| Name: taxIdRef.SecretName, | ||
| Namespace: namespace, | ||
| } | ||
|
|
||
| if err := c.Get(ctx, secretKey, secret); err != nil { | ||
| return "", fmt.Errorf("failed to get secret %s/%s: %w", namespace, taxIdRef.SecretName, err) | ||
| } | ||
|
|
||
| // Extract the tax ID from the Secret | ||
| taxIdBytes, exists := secret.Data[taxIdRef.SecretKey] | ||
| if !exists { | ||
| return "", fmt.Errorf("key %s not found in secret %s/%s", taxIdRef.SecretKey, namespace, taxIdRef.SecretName) | ||
| } | ||
|
|
||
| return string(taxIdBytes), nil | ||
| } |
There was a problem hiding this comment.
We should leave the pkg/apis/vendors package to API type definitions only. Any helper functions like this should be put in the controller package where they're used.
docs/api/tax-id-secrets.md
Outdated
There was a problem hiding this comment.
Thoughts on moving this to a guide document (maybe under docs/guides/vendors/?) and not something in the api reference folder? Seems like this should be a guide on how to create secrets for tax ID numbers to use with vendors. I'd expect a general design document to talk about why we're using secrets for tax IDs.
We should also reduce the usage of the term "Kubernetes" in the document since it's really a concept in Milo we're using.
docs/api/tax-id-secrets.md
Outdated
| ## Migration from Plain Text | ||
| If you have existing vendors with plain text tax IDs: | ||
| 1. **Create secrets** for each vendor's tax ID | ||
| 2. **Update vendor resources** to use `TaxIdRef` instead of `TaxId` | ||
| 3. **Verify secrets** are accessible and contain correct data | ||
| 4. **Test validation** to ensure everything works | ||
|
|
||
| ### Migration Script Example | ||
|
|
||
| ```bash | ||
| #!/bin/bash | ||
| # Extract tax IDs and create secrets | ||
| kubectl get vendors -o json | jq -r '.items[] | select(.spec.taxInfo.taxId) | "\(.metadata.name) \(.spec.taxInfo.taxId)"' | while read vendor_name tax_id; do | ||
| # Create secret | ||
| kubectl create secret generic "${vendor_name}-tax-id" \ | ||
| --from-literal=tax-id="$tax_id" \ | ||
| --namespace=default | ||
| # Add labels | ||
| kubectl label secret "${vendor_name}-tax-id" \ | ||
| vendor.miloapis.com/vendor="$vendor_name" \ | ||
| vendor.miloapis.com/type=tax-id | ||
| done |
There was a problem hiding this comment.
Not sure this is needed? There's no migrations needed since this functionality hasn't gone to production yet.
docs/api/tax-id-secrets.md
Outdated
| ## Security Considerations | ||
|
|
||
| ### 1. **RBAC Configuration** | ||
| Ensure proper RBAC for secret access: | ||
| ```yaml | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: vendor-secret-reader | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "list"] | ||
| resourceNames: ["*-tax-id"] # Restrict to tax ID secrets | ||
| ``` | ||
|
|
||
| ### 2. **Network Policies** | ||
| Consider network policies to restrict secret access: | ||
| ```yaml | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: restrict-secret-access | ||
| spec: | ||
| podSelector: {} | ||
| policyTypes: | ||
| - Ingress | ||
| ingress: | ||
| - from: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| name: vendor-controllers | ||
| ``` |
There was a problem hiding this comment.
This shouldn't be needed? Standard k8s RBAC / Network Policies aren't used with Milo. The network policy APIs aren't even available.
| // Whether this verification is required for vendor activation | ||
| // +kubebuilder:default=true | ||
| Required bool `json:"required"` |
There was a problem hiding this comment.
How is this field expected to be used?
| // Timestamp when verification was completed | ||
| // +optional | ||
| CompletedAt *metav1.Time `json:"completedAt,omitempty"` |
There was a problem hiding this comment.
Wouldn't this match the creation timestamp of the VendorVerification type?
| // Last error message if verification failed | ||
| // +optional | ||
| LastError string `json:"lastError,omitempty"` |
There was a problem hiding this comment.
Wouldn't this be duplicated by data showing up in the status conditions?
| // Number of verification attempts | ||
| // +optional | ||
| AttemptCount int32 `json:"attemptCount,omitempty"` |
There was a problem hiding this comment.
Wouldn't the VendorVerification type being created indicate the vendor is verified? How does this value get incremented?
mustela
force-pushed
the
adding_vendors
branch
from
eaa5946 to
6016c57
Compare
mustela
force-pushed
the
adding_vendors
branch
from
7280f05 to
6e3a5a8
Compare
|
@scotwells would you mind to give it another try? |
No description provided.