Add Azure and GCP ingress access point and gateway support#3283
Open
Elango Jagadeesan (ejagade) wants to merge 9 commits intomainfrom
Open
Add Azure and GCP ingress access point and gateway support#3283Elango Jagadeesan (ejagade) wants to merge 9 commits intomainfrom
Elango Jagadeesan (ejagade) wants to merge 9 commits intomainfrom
Conversation
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
There was a problem hiding this comment.
Pull request overview
Adds Azure and GCP ingress support to the CLI’s networking gateways and access-point private-link ingress endpoints, updating the ccloud v2 clients to use the newer “internal” SDKs and expanding the test backend/fixtures accordingly.
Changes:
- Add Azure ingress Private Link + GCP ingress Private Service Connect gateway + access-point ingress endpoint support.
- Update ccloudv2 gateway/access-point list filtering to use
MultipleSearchFiltertypes from the new SDKs. - Expand integration test backend handlers and golden fixtures for the new gateway/access point types.
Reviewed changes
Copilot reviewed 75 out of 77 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| test/test-server/networking_handlers.go | Extends mock API responses to include Azure/GCP ingress gateway + access-point resources. |
| test/network_test.go | Adds integration tests covering new Azure/GCP ingress create/update/describe/delete flows. |
| test/fixtures/output/network/gateway/update.golden | Updates expected gateway update output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/list.golden | Updates expected gateway list output with new columns/rows for Azure/GCP ingress. |
| test/fixtures/output/network/gateway/list-json.golden | Updates JSON list output with Azure/GCP ingress gateway fields. |
| test/fixtures/output/network/gateway/list-filter-type.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/list-filter-region.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/list-filter-phase.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/list-filter-name.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/list-filter-multiple.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/list-filter-id.golden | Updates filtered list expectation (now “None found.”). |
| test/fixtures/output/network/gateway/describe-gcp.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-gcp-ingress.golden | Adds expected output for describing a GCP ingress PSC gateway. |
| test/fixtures/output/network/gateway/describe-gcp-dns-peering.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-azure.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-azure-ingress.golden | Adds expected output for describing an Azure ingress Private Link gateway. |
| test/fixtures/output/network/gateway/describe-aws.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-aws-private-network-interface.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-aws-json.golden | Updates expected describe JSON output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-aws-ingress.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-aws-ingress-json.golden | Updates expected describe JSON output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/describe-autocomplete.golden | Updates autocomplete output to include new gateway IDs. |
| test/fixtures/output/network/gateway/delete.golden | Updates expected delete output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/delete-multiple.golden | Updates expected delete-multiple output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/delete-fail.golden | Updates expected delete-fail output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/delete-azure-ingress.golden | Adds expected delete output for Azure ingress gateway. |
| test/fixtures/output/network/gateway/delete-azure-ingress-multiple.golden | Adds expected delete output for multiple gateways including Azure ingress. |
| test/fixtures/output/network/gateway/create-type-autocomplete.golden | Updates create-type autocomplete to include ingress PSC type. |
| test/fixtures/output/network/gateway/create-gcp-ingress.golden | Adds expected create output for GCP ingress PSC gateway. |
| test/fixtures/output/network/gateway/create-azure-ingress.golden | Adds expected create output for Azure ingress Private Link gateway. |
| test/fixtures/output/network/gateway/create-aws.golden | Updates expected create output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/create-aws-private-network-interface.golden | Updates expected create output (now includes coverage warning line). |
| test/fixtures/output/network/gateway/create-aws-ingress.golden | Updates expected create output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/update-gcp.golden | Adds expected update output for GCP ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/update-azure.golden | Adds expected update output for Azure ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/update-aws.golden | Updates expected update output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/update-autocomplete.golden | Updates update autocomplete output to include Azure/GCP ingress endpoints. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/list.golden | Updates ingress endpoint list output to include Azure/GCP columns/rows. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/list-json.golden | Updates JSON list output to include Azure/GCP ingress endpoint fields. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-gcp.golden | Adds expected describe output for GCP ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-gcp-json.golden | Adds expected describe JSON output for GCP ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-azure.golden | Adds expected describe output for Azure ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-azure-json.golden | Adds expected describe JSON output for Azure ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-aws.golden | Updates expected describe output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-aws-json.golden | Updates expected describe JSON output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/describe-autocomplete.golden | Updates describe autocomplete output to include Azure/GCP ingress endpoints. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/delete.golden | Updates expected delete output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/delete-multiple.golden | Updates expected delete-multiple output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/delete-fail.golden | Updates expected delete-fail output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/delete-autocomplete.golden | Updates delete autocomplete output to include Azure/GCP ingress endpoints. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/create-gcp.golden | Adds expected create output for GCP ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/create-azure.golden | Adds expected create output for Azure ingress endpoint. |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/create-aws.golden | Updates expected create output (now includes coverage warning line). |
| test/fixtures/output/network/access-point/private-link/ingress-endpoint/create-aws-name.golden | Updates expected create output (now includes coverage warning line). |
| pkg/ccloudv2/networking_access_point.go | Switches list filters to new MultipleSearchFilter request types. |
| pkg/ccloudv2/networking-gateway.go | Switches gateway list filters to new MultipleSearchFilter request types. |
| pkg/ccloudv2/client.go | Updates imports to the new internal networking access-point/gateway SDKs. |
| internal/network/command_gateway_update.go | Updates gateway update command to new internal gateway SDK import. |
| internal/network/command_gateway_list.go | Extends gateway list output for Azure/GCP ingress fields and type handling. |
| internal/network/command_gateway_create.go | Adds Azure/GCP ingress gateway create support and updates cloud flag handling. |
| internal/network/command_gateway.go | Adds new gateway type constants and output fields for Azure/GCP ingress. |
| internal/network/command_dns_record_update.go | Updates imports to new internal access-point SDK. |
| internal/network/command_dns_record_create.go | Updates imports to new internal access-point SDK. |
| internal/network/command_dns_record.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_network_interface_update.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_network_interface_create.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_network_interface.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_link_ingress_endpoint_update.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_link_ingress_endpoint_list.go | Extends ingress endpoint list output to include Azure/GCP types/fields. |
| internal/network/command_access_point_private_link_ingress_endpoint_create.go | Adds Azure/GCP ingress endpoint create flags and config mapping. |
| internal/network/command_access_point_private_link_ingress_endpoint.go | Extends ingress endpoint output schema + autocomplete filtering for Azure/GCP. |
| internal/network/command_access_point_private_link_egress_endpoint_update.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_link_egress_endpoint_create.go | Updates imports to new internal access-point SDK. |
| internal/network/command_access_point_private_link_egress_endpoint.go | Updates imports to new internal access-point SDK. |
| go.sum | Adds sums for new internal networking SDK modules. |
| go.mod | Switches networking gateway/access-point dependencies to internal SDK modules. |
| .gitignore | Ignores newly added mock-test/ directory. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| }, | ||
| } | ||
| } | ||
| } |
Comment on lines
59
to
61
| if names != nil { | ||
| req = req.SpecDisplayName(names) | ||
| req = req.SpecDisplayName(networkingaccesspointv1.MultipleSearchFilter{Items: names}) | ||
| } |
Comment on lines
113
to
127
| if listParameters.Gateways != nil { | ||
| req = req.SpecGateway(listParameters.Gateways) | ||
| req = req.SpecGateway(networkingaccesspointv1.MultipleSearchFilter{Items: listParameters.Gateways}) | ||
| } | ||
|
|
||
| if listParameters.Domains != nil { | ||
| req = req.SpecDomain(listParameters.Domains) | ||
| req = req.SpecDomain(networkingaccesspointv1.MultipleSearchFilter{Items: listParameters.Domains}) | ||
| } | ||
|
|
||
| if listParameters.Names != nil { | ||
| req = req.SpecDisplayName(listParameters.Names) | ||
| req = req.SpecDisplayName(networkingaccesspointv1.MultipleSearchFilter{Items: listParameters.Names}) | ||
| } | ||
|
|
||
| if listParameters.ResourceIds != nil { | ||
| req = req.Resource(listParameters.ResourceIds) | ||
| req = req.Resource(networkingaccesspointv1.MultipleSearchFilter{Items: listParameters.ResourceIds}) | ||
| } |
Comment on lines
+2588
to
2590
| gatewayList := networkinggatewayv1.NetworkingV1GatewayList{Data: []networkinggatewayv1.NetworkingV1Gateway{gatewayOne, gatewayTwo, gatewayThree, gatewayFour, gatewayFive, gatewaySix, gatewaySeven, gatewayEight, gatewayNine, gatewayTen}} | ||
| gatewayList.Data = filterGatewayList(gatewayList.Data, gatewayTypes, ids, regions, displayNames, phases) | ||
| setPageToken(&gatewayList, &gatewayList.Metadata, r.URL) |
Comment on lines
+1
to
+2
| warning: GOCOVERDIR not set, no coverage data emitted | ||
| None found. |
Comment on lines
+1
to
+3
| warning: GOCOVERDIR not set, no coverage data emitted | ||
| ID | Name | Environment | Region | Type | AWS Principal ARN | VPC Endpoint Service Name | Azure Subscription | Azure Private Link Service | Azure Private Link Resource ID | GCP IAM Principal | GCP Project | GCP PSC Service Attachment | Phase | Zones | Account | Error Message | ||
| | | | | | | | | Alias | | | | | | | | |
Member
Steven Gagniere (sgagniere)
left a comment
Steven Gagniere (sgagniere)
left a comment
There was a problem hiding this comment.
Thanks for the PR! Here's a few comments:
| if ingressEndpoint.Status.Config != nil && ingressEndpoint.Status.Config.NetworkingV1GcpIngressPrivateServiceConnectEndpointStatus != nil { | ||
| out.GcpPrivateServiceConnectServiceAttachment = ingressEndpoint.Status.Config.NetworkingV1GcpIngressPrivateServiceConnectEndpointStatus.GetPrivateServiceConnectServiceAttachment() | ||
| out.GcpPrivateServiceConnectConnectionId = ingressEndpoint.Status.Config.NetworkingV1GcpIngressPrivateServiceConnectEndpointStatus.GetPrivateServiceConnectConnectionId() | ||
| if ingressEndpoint.Status.Config.NetworkingV1GcpIngressPrivateServiceConnectEndpointStatus.HasDnsDomain() { |
There was a problem hiding this comment.
Nitpick: This guard is probably unnecessary since GetDnsDomain will return empty string if it's not set.
| @@ -1 +1,2 @@ | |||
| warning: GOCOVERDIR not set, no coverage data emitted | |||
There was a problem hiding this comment.
We'll want to remove these lines.
Running make integration-test should automatically export this var and remove this warning.
Add CRUD support for GcpIngressPrivateServiceConnectGateway using the ccloud-sdk-go-v2-internal/networking-gateway v0.12.0 SDK. Includes create, describe, list, and delete operations with golden file test coverage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The mock-test/ directory contains a stateful gateway mock server and manual CLI tests intended for local development only. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Switch networking-access-point SDK from public v0.8.0 to internal v0.12.0, which adds NetworkingV1AzureIngressPrivateLinkEndpoint and NetworkingV1GcpIngressPrivateServiceConnectEndpoint types - Add Azure ingress gateway type (ingress-privatelink) to gateway create/describe/list commands - Add --cloud azure/gcp support to ingress-endpoint create with --private-endpoint-resource-id (Azure) and --private-service-connect-connection-id (GCP) flags - Display Azure Private Link Service Alias/Resource IDs and GCP PSC Service Attachment/Connection ID in ingress-endpoint describe and list - Update autocomplete, test server handlers, and golden fixtures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The networking API uses GcpEgressPrivateLink and GcpIngressPrivateLink, but the CLI was using GcpEgressPrivateServiceConnect and GcpIngressPrivateServiceConnect, causing type filtering to fail. Accept both gcp-*-privatelink and gcp-*-private-service-connect as input for backward compatibility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… names The API accepts GcpEgressPrivateLink/GcpIngressPrivateLink for type filtering, but the CLI only accepted gcp-*-private-service-connect. Now accepts both gcp-*-privatelink and gcp-*-private-service-connect as filter input, while keeping GcpEgressPrivateServiceConnect and GcpIngressPrivateServiceConnect as the displayed type names. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use go.mod replace directives for internal SDK instead of changing all import paths, remove unnecessary HasDnsDomain guards, and strip GOCOVERDIR warnings from golden files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
airlock-confluentinc
Bot
force-pushed
the
ipl-support-azure-gcp-accesspoint
branch
from
41fa433 to
ddd2d41
Compare
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
Cynthia Qin (cqin-confluent)
left a comment
Cynthia Qin (cqin-confluent)
left a comment
There was a problem hiding this comment.
Looks good overall! Left a few inline comments, most are minor UX/validation
Also, could you extend the manual test pages with one additional case, and add integration tests for negative validation?
-
Manual test: Run gateway list
--types azure-ingress-privatelinkand confirm the existing Azure gateway is returned (similar to what's in the GCP testing doc). -
Integration tests: The current tests only covers happy-path filter cases. Could we add tests for these broken-command scenarios? As regression coverage for the validation fix discussed inline:
# cloud/type mismatch
gateway create --cloud aws --type ingress-private-service-connect
# wrong-cloud flag
ingress-endpoint create --cloud azure --vpc-endpoint-id <aws-id>
# two cloud-specific flags together
ingress-endpoint create --cloud aws --vpc-endpoint-id <id> --private-endpoint-resource-id <id>
Comment on lines
+40
to
+43
| "gcp-egress-privatelink": "GcpEgressPrivateLink", | ||
| "gcp-ingress-privatelink": "GcpIngressPrivateLink", | ||
| "gcp-egress-private-service-connect": "GcpEgressPrivateLink", | ||
| "gcp-ingress-private-service-connect": "GcpIngressPrivateLink", |
There was a problem hiding this comment.
These map values use a string the SDK doesn't define. Could yo uchange L41-42 to reference gcpEgressPrivateServiceConnect / gcpIngressPrivateServiceConnect? The bug-bash GCP page already captured the API rejection:
Error: Invalid gateway type: {[GcpIngressPrivateServiceConnect]}
There was a problem hiding this comment.
Fixed — gcp-egress-private-service-connect and gcp-ingress-private-service-connect now reference gcpEgressPrivateServiceConnect and gcpIngressPrivateServiceConnect constants.
There was a problem hiding this comment.
Let's include GCP as option since this PR adds --cloud gcp support
Suggested change
| cmd.Flags().String("region", "", "AWS, Azure, or GCP region of the gateway.") |
There was a problem hiding this comment.
Fixed — updated to "AWS, Azure, or GCP region of the gateway."
Comment on lines
164
to
174
| func (s *CLITestSuite) TestNetworkGatewayList() { | ||
| tests := []CLITest{ | ||
| {args: "network gateway list", fixture: "network/gateway/list.golden"}, | ||
| {args: "network gateway list --output json", fixture: "network/gateway/list-json.golden"}, | ||
| {args: "network gateway list --types aws-egress-privatelink", fixture: "network/gateway/list-filter-type.golden"}, | ||
| {args: "network gateway list --id gw-12345", fixture: "network/gateway/list-filter-id.golden"}, | ||
| {args: "network gateway list --region us-east-1", fixture: "network/gateway/list-filter-region.golden"}, | ||
| {args: "network gateway list --display-name my-aws-gateway", fixture: "network/gateway/list-filter-name.golden"}, | ||
| {args: "network gateway list --phase READY", fixture: "network/gateway/list-filter-phase.golden"}, | ||
| {args: "network gateway list --types aws-egress-privatelink --id gw-12345 --region us-east-1 --phase READY", fixture: "network/gateway/list-filter-multiple.golden"}, | ||
| } |
There was a problem hiding this comment.
Could we add test cases to cover filtering by the newazure-ingress-privatelink and gcp-ingress-private-service-connect types?
There was a problem hiding this comment.
Added test cases for --types azure-ingress-privatelink and --types gcp-ingress-private-service-connect with generated golden files.
Comment on lines
-31
to
+33
| createGatewayTypes = []string{"egress-privatelink", "ingress-privatelink", "private-network-interface"} | ||
| listGatewayTypes = []string{"aws-egress-privatelink", "aws-ingress-privatelink", "azure-egress-privatelink", "gcp-egress-private-service-connect"} // TODO: check if we accept private-network-interface here | ||
| createGatewayTypes = []string{"egress-privatelink", "ingress-privatelink", "private-network-interface", "ingress-private-service-connect"} |
There was a problem hiding this comment.
Could we add "ingress-private-service-connect" to createGatewayTypes to include GCP type?
There was a problem hiding this comment.
Already present in createGatewayTypes — ingress-private-service-connect was added in a previous commit.
|
|
||
| cobra.CheckErr(cmd.MarkFlagRequired("cloud")) | ||
| cobra.CheckErr(cmd.MarkFlagRequired("gateway")) | ||
| cobra.CheckErr(cmd.MarkFlagRequired("vpc-endpoint-id")) |
There was a problem hiding this comment.
After we add GCP and Azure to the existing AWS support, each cloud's required-flag check would silently accepts wrong-cloud flags (e.g. --private-endpoint-resource-id with --cloud gcp).
Could we:
-
Add
cmd.MarkFlagsMutuallyExclusive("vpc-endpoint-id", "private-endpoint-resource-id", "private-service-connect-connection-id")to catches scenario of two flags set together. -
In each cloud's branch, reject flags that belong to the other clouds. For example, in AWS branch:
case pcloud.Aws:
if vpcEndpointId == "" {
return fmt.Errorf(`"--vpc-endpoint-id" is required for --cloud aws`)
}
if privateEndpointResourceId != "" || privateServiceConnectConnectionId != "" {
return fmt.Errorf(`"--private-endpoint-resource-id" and "--private-service-connect-connection-id" are not valid for --cloud aws; use "--vpc-endpoint-id"`)
}
That would give users a precise error message at parse time instead passing downstream.
There was a problem hiding this comment.
Fixed — added MarkFlagsMutuallyExclusive for the three cloud-specific flags, and each cloud branch now explicitly rejects flags belonging to the other clouds with a clear error message.
- Fix GCP gateway type map to use correct constants for gcp-egress/ingress-private-service-connect - Update region flag description to include GCP - Add list filter test cases for azure-ingress-privatelink and gcp-ingress-private-service-connect types - Add cross-cloud flag validation and MarkFlagsMutuallyExclusive for ingress endpoint create Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2 tasks
|
Addressed all review feedback from Cynthia Qin (@cqin-confluent) in this PR:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for Azure and GCP ingress access points and gateways to the CLI.
Changes
Testing
Updated test fixtures to include Azure and GCP ingress endpoint and gateway scenarios.