DBAAS-972 Grant access to the newly created database instance in Atlas Operator

Author: jianrongzhang89

config/dbaasprovider/dbaas_provider.yaml

@@ -64,3 +64,7 @@ spec:
       type: string
       required: false
       defaultValue: M0
+    - name: ipAccessList
+      displayName: List of IP Addresses or Ranges (Space Separated) to Access the Cluster
+      type: string
+      required: false

pkg/api/dbaas/mongodbatlasconnection_types.go

@@ -19,14 +19,14 @@ import (
 )
 
 const (
-	CloudProviderKey    = "providerName"
-	CloudRegionKey      = "regionName"
-	ProjectIDKey        = "projectID"
-	ProjectNameKey      = "projectName"
-	ProvisionPhaseKey   = "state"
-	InstanceSizeNameKey = "instanceSizeName"
-	ClusterNameKey      = "clusterName"
-
+	CloudProviderKey                = "providerName"
+	CloudRegionKey                  = "regionName"
+	ProjectIDKey                    = "projectID"
+	ProjectNameKey                  = "projectName"
+	ProvisionPhaseKey               = "state"
+	InstanceSizeNameKey             = "instanceSizeName"
+	ClusterNameKey                  = "clusterName"
+	IPAccessListKey                 = "ipAccessList"
 	ConnectionStringsStandardSrvKey = "connectionStringsStandardSrv"
 	InstanceIDKey                   = "instanceID"
 	HostKey                         = "host"

pkg/api/dbaas/mongodbatlasinstance_types.go

@@ -14,6 +14,10 @@ limitations under the License.
 package dbaas
 
 import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	dbaasv1alpha1 "github.com/RHEcosystemAppEng/dbaas-operator/api/v1alpha1"
@@ -94,3 +98,27 @@ func GetInstanceCondition(inv *MongoDBAtlasInstance, condType string) *metav1.Co
 	}
 	return nil
 }
+
+type IP struct {
+	Query string
+}
+
+// GetPublicIP returns the static outbound public IP of the OpenShift Cluster
+// Or when the operator runs locally, the h
+func GetPublicIP() (string, error) {
+	req, err := http.Get("http://ip-api.com/json/")
+	if err != nil {
+		return "", err
+	}
+	defer req.Body.Close()
+	body, err := ioutil.ReadAll(req.Body)
+	if err != nil {
+		return "", err
+	}
+	var ip IP
+	err = json.Unmarshal(body, &ip)
+	if err != nil {
+		return "", err
+	}
+	return ip.Query, nil
+}

pkg/controller/atlasinstance/atlasinstance_controller.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"strings"
 	"time"
 
@@ -84,6 +85,7 @@ type InstanceData struct {
 	ProviderName     string
 	RegionName       string
 	InstanceSizeName string
+	IPAccessList     string
 }
 
 const (
@@ -349,6 +351,11 @@ func (r *MongoDBAtlasInstanceReconciler) getAtlasProjectForCreation(instance *db
 	if err := r.Client.Get(context.Background(), *inventory.ConnectionSecretObjectKey(), secret); err != nil {
 		return nil, err
 	}
+
+	accessList, err := parseIPAccessList(data.IPAccessList)
+	if err != nil {
+		return nil, err
+	}
 	return &v1.AtlasProject{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "atlas-project-",
@@ -366,7 +373,7 @@ func (r *MongoDBAtlasInstanceReconciler) getAtlasProjectForCreation(instance *db
 		Spec: v1.AtlasProjectSpec{
 			Name:                data.ProjectName,
 			ConnectionSecret:    &common.ResourceRef{Name: inventory.Spec.CredentialsRef.Name},
-			ProjectIPAccessList: []project.IPAccessList{},
+			ProjectIPAccessList: accessList,
 		},
 	}, nil
 }
@@ -468,12 +475,24 @@ func getInstanceData(log *zap.SugaredLogger, inst *dbaas.MongoDBAtlasInstance) (
 		instanceSizeName = "M0"
 	}
 
+	accessIP, ok := inst.Spec.OtherInstanceParams[dbaas.IPAccessListKey]
+	if !ok || len(strings.TrimSpace(accessIP)) == 0 {
+		ip, err := dbaas.GetPublicIP()
+		if err != nil {
+			log.Infof("Failed to get the public IP")
+			return nil, err
+		}
+		accessIP = ip
+		log.Infof("%v is missing, current IP %s is used.", dbaas.IPAccessListKey, accessIP)
+	}
+
 	return &InstanceData{
 		ProjectName:      strings.TrimSpace(projectName),
 		ClusterName:      name,
 		ProviderName:     provider,
 		RegionName:       region,
 		InstanceSizeName: strings.TrimSpace(instanceSizeName),
+		IPAccessList:     strings.TrimSpace(accessIP),
 	}, nil
 }
 
@@ -521,3 +540,22 @@ func setInstanceStatusWithDeploymentInfo(atlasClient *mongodbatlas.Client, inst
 	}
 	return false, result
 }
+
+func parseIPAccessList(accessListStr string) ([]project.IPAccessList, error) {
+	accessList := []project.IPAccessList{}
+	ranges := strings.Split(accessListStr, " ")
+	for _, r := range ranges {
+		ip := net.ParseIP(r)
+		if ip != nil {
+			accessList = append(accessList, project.IPAccessList{IPAddress: r})
+		} else {
+			_, _, err := net.ParseCIDR(r)
+			if err == nil {
+				accessList = append(accessList, project.IPAccessList{CIDRBlock: r})
+			} else {
+				return nil, fmt.Errorf("parsing error for ip or ip range: %s", r)
+			}
+		}
+	}
+	return accessList, nil
+}

pkg/controller/atlasinstance/atlasinstance_test.go

@@ -53,21 +53,38 @@ func TestGetInstanceData(t *testing.T) {
 		providerName        string
 		regionName          string
 		instanceSizeName    string
+		ipAccessList        string
 		expProviderName     string
 		expRegionName       string
 		expInstanceSizeName string
 		expErrMsg           string
+		expIPAccessList     string
 	}{
 		"Nominal": {
 			deploymentName:      "myDeployment",
 			projectName:         "myProject",
 			providerName:        "GCP",
 			regionName:          "GCP_REGION",
 			instanceSizeName:    "M10",
+			ipAccessList:        "192.168.0.1",
 			expProviderName:     "GCP",
 			expRegionName:       "GCP_REGION",
 			expInstanceSizeName: "M10",
 			expErrMsg:           "",
+			expIPAccessList:     "192.168.0.1",
+		},
+		"NominalWithCIDR": {
+			deploymentName:      "myDeployment",
+			projectName:         "myProject",
+			providerName:        "GCP",
+			regionName:          "GCP_REGION",
+			instanceSizeName:    "M10",
+			ipAccessList:        "192.168.0.1/24",
+			expProviderName:     "GCP",
+			expRegionName:       "GCP_REGION",
+			expInstanceSizeName: "M10",
+			expErrMsg:           "",
+			expIPAccessList:     "192.168.0.1/24",
 		},
 		"MissingDeploymentName": {
 			deploymentName:      "",
@@ -101,6 +118,7 @@ func TestGetInstanceData(t *testing.T) {
 			expRegionName:       "AWS_REGION",
 			expInstanceSizeName: "M10",
 			expErrMsg:           "",
+			expIPAccessList:     "52.206.222.245/32",
 		},
 		"UseDefaultRegion": {
 			deploymentName:      "myDeployment",
@@ -112,6 +130,7 @@ func TestGetInstanceData(t *testing.T) {
 			expRegionName:       "US_EAST_1",
 			expInstanceSizeName: "M10",
 			expErrMsg:           "",
+			expIPAccessList:     "0.0.0.0/0",
 		},
 		"UseDefaultInstanceSizeName": {
 			deploymentName:      "myDeployment",
@@ -123,6 +142,7 @@ func TestGetInstanceData(t *testing.T) {
 			expRegionName:       "US_EAST_1",
 			expInstanceSizeName: "M0",
 			expErrMsg:           "",
+			expIPAccessList:     "52.206.222.245/32",
 		},
 	}
 
@@ -148,6 +168,7 @@ func TestGetInstanceData(t *testing.T) {
 					OtherInstanceParams: map[string]string{
 						"projectName":      tc.projectName,
 						"instanceSizeName": tc.instanceSizeName,
+						"ipAccessList":     tc.expIPAccessList,
 					},
 				},
 			}
@@ -158,6 +179,7 @@ func TestGetInstanceData(t *testing.T) {
 				ProviderName:     tc.expProviderName,
 				RegionName:       tc.expRegionName,
 				InstanceSizeName: tc.expInstanceSizeName,
+				IPAccessList:     tc.expIPAccessList,
 			}
 			res, err := getInstanceData(log, instance)
 			if len(tc.expErrMsg) == 0 {
@@ -384,6 +406,7 @@ func TestAtlasInstanceReconcile(t *testing.T) {
 	tcName := "mytest"
 	deploymentName := "mydeploymentnew"
 	projectName := "myproject"
+	ipAccessList := "52.206.222.245/32"
 	expectedPhase := dbaasv1alpha1.InstancePhasePending
 	expectedErrString := "CLUSTER_NOT_FOUND"
 	expectedRequeue := true
@@ -436,7 +459,8 @@ func TestAtlasInstanceReconcile(t *testing.T) {
 				Namespace: inventory.Namespace,
 			},
 			OtherInstanceParams: map[string]string{
-				"projectName": projectName,
+				"projectName":  projectName,
+				"ipAccessList": ipAccessList,
 			},
 		},
 	}
@@ -470,11 +494,18 @@ func TestAtlasInstanceReconcile(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, expectedPhase, instanceUpdated.Status.Phase)
 
+	// Verify that the AtlasProject created has ipAccessList set
+	atlasProject, err := r.getAtlasProject(context.Background(), instance)
+	assert.NoError(t, err)
+	assert.NotNil(t, atlasProject)
+	assert.NotEmpty(t, atlasProject.Spec.ProjectIPAccessList)
+	assert.Equal(t, atlasProject.Spec.ProjectIPAccessList[0].CIDRBlock, ipAccessList)
+
 	// After an instance is deleted, the corresponding atlas project should be deleted
 	delEvent := event.DeleteEvent{Object: instance}
 	err = r.Delete(delEvent)
 	assert.NoError(t, err)
-	atlasProject, err := r.getAtlasProject(context.Background(), instance)
+	atlasProject, err = r.getAtlasProject(context.Background(), instance)
 	assert.NoError(t, err)
 	assert.Nil(t, atlasProject)
 }

pkg/controller/dbaasprovider/dbaasprovider_reconciler.go

@@ -44,6 +44,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/dbaas"
 )
 
 const (
@@ -164,6 +166,17 @@ func (r *DBaaSProviderReconciler) getAtlasProviderCR(clusterRoleList *rbac.Clust
 	if err != nil {
 		return nil, err
 	}
+
+	for ind, spec := range instance.Spec.InstanceParameterSpecs {
+		if spec.Name == dbaas.IPAccessListKey {
+			ip, err := dbaas.GetPublicIP()
+			if err != nil {
+				return nil, err
+			}
+			spec.DefaultValue = ip
+			instance.Spec.InstanceParameterSpecs[ind] = spec
+		}
+	}
 	instance.ObjectMeta.OwnerReferences = []metav1.OwnerReference{
 		{
 			APIVersion:         "rbac.authorization.k8s.io/v1",