Adds support for tls certs in authorino

Makefile

@@ -119,7 +119,7 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
-AUTHORINO_VERSION=v0.4.0
+AUTHORINO_VERSION=v0.5.0
 install-authorino: kustomize ## install RBAC and CRD for authorino
 	$(eval TMP := $(shell mktemp -d))
 	cd $(TMP); git clone --depth 1 --branch $(AUTHORINO_VERSION) https://github.com/kuadrant/authorino.git

api/v1beta1/authorino_types.go

@@ -17,7 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
-	apiv1 "k8s.io/api/core/v1"
+	k8score "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -32,22 +32,28 @@ const (
 	AuthorinoContainerName string        = "authorino"
 
 	// Authorino EnvVars
-	WatchNamespace          string = "WATCH_NAMESPACE"
-	ExtAuthGRPCPort         string = "EXT_AUTH_GRPC_PORT"
-	TLSCertPath             string = "TLS_CERT"
-	TLSCertKeyPath          string = "TLS_CERT_KEY"
-	OIDCHTTPPort            string = "OIDC_HTTP_PORT"
-	OIDCTLSCertPath         string = "OIDC_TLS_CERT"
-	OIDCTLSCertKeyPath      string = "OIDC_TLS_CERT_KEY"
-	AuthConfigLabelSelector string = "AUTH_CONFIG_LABEL_SELECTOR"
-	SecretLabelSelector     string = "SECRET_LABEL_SELECTOR"
+	WatchNamespace           string = "WATCH_NAMESPACE"
+	ExtAuthGRPCPort          string = "EXT_AUTH_GRPC_PORT"
+	EnvVarTlsCert            string = "TLS_CERT"
+	EnvVarTlsCertKey         string = "TLS_CERT_KEY"
+	OIDCHTTPPort             string = "OIDC_HTTP_PORT"
+	EnvVarOidcTlsCertPath    string = "OIDC_TLS_CERT"
+	EnvVarOidcTlsCertKeyPath string = "OIDC_TLS_CERT_KEY"
+	AuthConfigLabelSelector  string = "AUTH_CONFIG_LABEL_SELECTOR"
+	SecretLabelSelector      string = "SECRET_LABEL_SELECTOR"
+
+	// Authorino TLS file paths
+	DefaultTlsCertPath        string = "/etc/ssl/certs/tls.crt"
+	DefaultTlsCertKeyPath     string = "/etc/ssl/private/tls.key"
+	DefaultOidcTlsCertPath    string = "/etc/ssl/certs/oidc.crt"
+	DefaultOidcTlsCertKeyPath string = "/etc/ssl/private/oidc.key"
 )
 
 type Condition struct {
 	// Type of condition
 	Type ConditionType `json:"type"`
 	// Status of the condition, one of True, False, Unknown.
-	Status apiv1.ConditionStatus `json:"status"`
+	Status k8score.ConditionStatus `json:"status"`
 	// Last time the condition transit from one status to another.
 	// +optional
 	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
@@ -78,16 +84,18 @@ type AuthorinoSpec struct {
 }
 
 type Listener struct {
-	Port        *int32 `json:"port,omitempty"`
-	Tls         bool   `json:"tsl,omitempty"`
-	CertPath    string `json:"certPath,omitempty"`
-	CertKeyPath string `json:"certKeyPath,omitempty"`
+	Port *int32 `json:"port,omitempty"`
+	Tls  Tls    `json:"tls,omitempty"`
 }
 
 type OIDCServer struct {
-	Port        *int32 `json:"port,omitempty"`
-	CertPath    string `json:"certPath,omitempty"`
-	CertKeyPath string `json:"certKeyPath,omitempty"`
+	Port *int32 `json:"port,omitempty"`
+	Tls  Tls    `json:"tls,omitempty"`
+}
+
+type Tls struct {
+	Enabled        *bool  `json:"enabled,omitempty"`
+	CertSecretName string `json:"certSecretName"`
 }
 
 // AuthorinoStatus defines the observed state of Authorino

config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml

@@ -46,25 +46,33 @@ spec:
                 type: string
               listener:
                 properties:
-                  certKeyPath:
-                    type: string
-                  certPath:
-                    type: string
                   port:
                     format: int32
                     type: integer
-                  tsl:
-                    type: boolean
+                  tls:
+                    properties:
+                      certSecretName:
+                        type: string
+                      enabled:
+                        type: boolean
+                    required:
+                    - certSecretName
+                    type: object
                 type: object
               oidcServer:
                 properties:
-                  certKeyPath:
-                    type: string
-                  certPath:
-                    type: string
                   port:
                     format: int32
                     type: integer
+                  tls:
+                    properties:
+                      certSecretName:
+                        type: string
+                      enabled:
+                        type: boolean
+                    required:
+                    - certSecretName
+                    type: object
                 type: object
               replicas:
                 format: int32

config/manager/manager.yaml

@@ -30,6 +30,7 @@ spec:
         args:
         - --leader-elect
         image: controller:latest
+        imagePullPolicy: IfNotPresent
         name: manager
         securityContext:
           allowPrivilegeEscalation: false

config/samples/authorino-operator_v1beta1_authorino.yaml

@@ -10,10 +10,11 @@ spec:
   clusterWide: true
   listener:
     port: 
-    tsl: true
-    certPath: ""
-    certKeyPath: ""
+    # tls:
+    #   enabled: true # default
+    #   certSecretName: authorino-cert # secret must contain `tls.crt` and `tls.key` entries
   oidcServer:
-    port: 
-    certPath: ""
-    certKeyPath: ""
+    port:
+    # tls:
+    #   enabled: true # default
+    #   certSecretName: authorino-cert # secret must contain `tls.crt` and `tls.key` entries

controllers/authorino_controller.go

@@ -44,6 +44,11 @@ type AuthorinoReconciler struct {
 	Scheme *runtime.Scheme
 }
 
+const (
+	tlsCertName     string = "tls-cert"
+	oidcTlsCertName string = "oidc-cert"
+)
+
 //+kubebuilder:rbac:groups=operator.authorino.kuadrant.io,resources=authorinos,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=operator.authorino.kuadrant.io,resources=authorinos/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=operator.authorino.kuadrant.io,resources=authorinos/finalizers,verbs=update
@@ -220,24 +225,72 @@ func (r *AuthorinoReconciler) buildAuthorinoDeployment(authorino *api.Authorino)
 				},
 				Spec: k8score.PodSpec{
 					ServiceAccountName: prefix + "-authorino",
-					Containers: []k8score.Container{
-						{
-							Image:           authorino.Spec.Image,
-							ImagePullPolicy: k8score.PullPolicy(authorino.Spec.ImagePullPolicy),
-							Name:            api.AuthorinoContainerName,
-							Env:             r.buildAuthorinoEnv(authorino),
-						},
-					},
 				},
 			},
 		},
 	}
 
+	authorinoContainer := k8score.Container{
+		Image:           authorino.Spec.Image,
+		ImagePullPolicy: k8score.PullPolicy(authorino.Spec.ImagePullPolicy),
+		Name:            api.AuthorinoContainerName,
+		Env:             r.buildAuthorinoEnv(authorino),
+	}
+
+	if enabled := authorino.Spec.Listener.Tls.Enabled; enabled == nil || *enabled {
+		secretName := authorino.Spec.Listener.Tls.CertSecretName
+		authorinoContainer.VolumeMounts = append(authorinoContainer.VolumeMounts,
+			buildTlsVolumeMount(tlsCertName, api.DefaultTlsCertPath, api.DefaultTlsCertKeyPath)...,
+		)
+		dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes,
+			buildTlsVolume(tlsCertName, secretName),
+		)
+	}
+
+	if enabled := authorino.Spec.OIDCServer.Tls.Enabled; enabled == nil || *enabled {
+		secretName := authorino.Spec.OIDCServer.Tls.CertSecretName
+		authorinoContainer.VolumeMounts = append(authorinoContainer.VolumeMounts,
+			buildTlsVolumeMount(oidcTlsCertName, api.DefaultOidcTlsCertPath, api.DefaultOidcTlsCertKeyPath)...,
+		)
+		dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes,
+			buildTlsVolume(oidcTlsCertName, secretName),
+		)
+	}
+	dep.Spec.Template.Spec.Containers = append(dep.Spec.Template.Spec.Containers, authorinoContainer)
+
 	ctrl.SetControllerReference(authorino, dep, r.Scheme)
 
 	return dep
 }
 
+func buildTlsVolume(certName, secretName string) k8score.Volume {
+	return k8score.Volume{
+		Name: certName,
+		VolumeSource: k8score.VolumeSource{
+			Secret: &k8score.SecretVolumeSource{
+				SecretName: secretName,
+			},
+		},
+	}
+}
+
+func buildTlsVolumeMount(certName, certPath, certKeyPath string) []k8score.VolumeMount {
+	return []k8score.VolumeMount{
+		{
+			Name:      certName,
+			MountPath: certPath,
+			SubPath:   "tls.crt",
+			ReadOnly:  true,
+		},
+		{
+			Name:      certName,
+			MountPath: certKeyPath,
+			SubPath:   "tls.key",
+			ReadOnly:  true,
+		},
+	}
+}
+
 func (r *AuthorinoReconciler) buildAuthorinoEnv(authorino *api.Authorino) []k8score.EnvVar {
 	envVar := []k8score.EnvVar{}
 
@@ -266,39 +319,37 @@ func (r *AuthorinoReconciler) buildAuthorinoEnv(authorino *api.Authorino) []k8sc
 	if authorino.Spec.Listener.Port != nil {
 		envVar = append(envVar, k8score.EnvVar{
 			Name:  api.ExtAuthGRPCPort,
-			Value: fmt.Sprint(authorino.Spec.Listener.Port),
+			Value: fmt.Sprintf("%v", *authorino.Spec.Listener.Port),
 		})
 	}
-	if authorino.Spec.Listener.CertPath != "" {
+
+	if enabled := authorino.Spec.Listener.Tls.Enabled; enabled == nil || *enabled {
 		envVar = append(envVar, k8score.EnvVar{
-			Name:  api.TLSCertPath,
-			Value: authorino.Spec.Listener.CertPath,
+			Name:  api.EnvVarTlsCert,
+			Value: api.DefaultTlsCertPath,
 		})
-	}
-	if authorino.Spec.Listener.CertKeyPath != "" {
+
 		envVar = append(envVar, k8score.EnvVar{
-			Name:  api.TLSCertKeyPath,
-			Value: authorino.Spec.Listener.CertKeyPath,
+			Name:  api.EnvVarTlsCertKey,
+			Value: api.DefaultTlsCertKeyPath,
 		})
 	}
 
 	// OIDC service
 	if authorino.Spec.OIDCServer.Port != nil {
 		envVar = append(envVar, k8score.EnvVar{
 			Name:  api.OIDCHTTPPort,
-			Value: fmt.Sprint(authorino.Spec.OIDCServer.Port),
+			Value: fmt.Sprintf("%v", *authorino.Spec.OIDCServer.Port),
 		})
 	}
-	if authorino.Spec.OIDCServer.CertKeyPath != "" {
+	if enabled := authorino.Spec.OIDCServer.Tls.Enabled; enabled == nil || *enabled {
 		envVar = append(envVar, k8score.EnvVar{
-			Name:  api.OIDCTLSCertPath,
-			Value: authorino.Spec.OIDCServer.CertPath,
+			Name:  api.EnvVarOidcTlsCertPath,
+			Value: api.DefaultOidcTlsCertPath,
 		})
-	}
-	if authorino.Spec.OIDCServer.CertKeyPath != "" {
 		envVar = append(envVar, k8score.EnvVar{
-			Name:  api.OIDCTLSCertKeyPath,
-			Value: authorino.Spec.OIDCServer.CertKeyPath,
+			Name:  api.EnvVarOidcTlsCertKeyPath,
+			Value: api.DefaultOidcTlsCertKeyPath,
 		})
 	}
 
@@ -330,12 +381,29 @@ func (r *AuthorinoReconciler) authorinoDeploymentChanges(existingDeployment, des
 	// checking envvars
 	existingEnvvars := existingContainer.Env
 	desiredEnvvars := desiredContainer.Env
-	for envIndex, existingEnvvar := range existingEnvvars {
-		desiredEnvvar := desiredEnvvars[envIndex]
-		if existingEnvvar.Name == desiredEnvvar.Name && existingEnvvar.Value != desiredEnvvar.Value {
-			changed = true
+	for _, desiredEnvvar := range desiredEnvvars {
+		for _, existingEnvvar := range existingEnvvars {
+			if existingEnvvar.Name == desiredEnvvar.Name && existingEnvvar.Value != desiredEnvvar.Value {
+				changed = true
+				break
+			}
+		}
+	}
+
+	// checking volume
+	existingVolumes := existingDeployment.Spec.Template.Spec.Volumes
+	desiredVolumes := desiredDeployment.Spec.Template.Spec.Volumes
+	for _, desiredVolume := range desiredVolumes {
+		if desiredVolume.Name == tlsCertName || desiredVolume.Name == oidcTlsCertName {
+			for _, existingVolume := range existingVolumes {
+				if existingVolume.Name == tlsCertName || desiredVolume.Name == oidcTlsCertName && existingVolume.VolumeSource.Secret.SecretName != desiredVolume.VolumeSource.Secret.SecretName {
+					changed = true
+					break
+				}
+			}
 		}
 	}
+
 	return changed
 }