Authorino Reconciler

.dockerignore

@@ -3,3 +3,6 @@
 !**/*.go
 !**/*.mod
 !**/*.sum
+# Ignore build and test binaries.
+bin/
+testbin/

.github/workflows/build-latest.yaml

@@ -0,0 +1,36 @@
+name: Build and push image
+on:
+  push:
+    branches:
+      - 'main'
+      - 'master'
+
+jobs:
+  build:
+    name: Build and push image
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build Image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: authorino-operator
+          tags: latest ${{ github.sha }}
+          dockerfiles: |
+            ./Dockerfile
+
+      - name: Push To quay.io
+        id: push-to-quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io/3scale
+          username: 3scale+authorino_github
+          password: ${{ secrets.REGISTRY_AUTH_TOKEN }}
+
+      - name: Print Image URL
+        run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"

.gitignore

@@ -23,3 +23,6 @@ testbin/*
 *.swp
 *.swo
 *~
+
+# Vendor dependencies
+vendor

Makefile

@@ -28,17 +28,23 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 # This variable is used to construct full image tags for bundle and catalog images.
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
-# authorino.3scale.net/authorino-operator-bundle:$VERSION and authorino.3scale.net/authorino-operator-catalog:$VERSION.
-IMAGE_TAG_BASE ?= authorino.3scale.net/authorino-operator
+# authorino.kuadrant.io/authorino-operator-bundle:$VERSION and authorino.kuadrant.io/authorino-operator-catalog:$VERSION.
+IMAGE_TAG_BASE ?= authorino.kuadrant.io/authorino-operator
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+DEFAULT_OPERATOR_IMAGE = quay.io/3scale/authorino-operator:latest
+OPERATOR_IMAGE ?= $(DEFAULT_OPERATOR_IMAGE)
+
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION = 1.21
+
+OPERATOR_MANIFESTS ?= $(PROJECT_DIR)/config/install/manifests.yaml
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -73,8 +79,8 @@ help: ## Display this help.
 
 ##@ Development
 
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: controller-gen kustomize ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases && $(KUSTOMIZE) build config/install > $(OPERATOR_MANIFESTS)
 
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
@@ -85,11 +91,8 @@ fmt: ## Run go fmt against code.
 vet: ## Run go vet against code.
 	go vet ./...
 
-ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
-test: manifests generate fmt vet ## Run tests.
-	mkdir -p ${ENVTEST_ASSETS_DIR}
-	test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.8.3/hack/setup-envtest.sh
-	source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR); go test ./... -coverprofile cover.out
+test: manifests generate fmt vet envtest ## Run tests.
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
 
 ##@ Build
 
@@ -99,36 +102,45 @@ build: generate fmt vet ## Build manager binary.
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
-docker-build: test ## Build docker image with the manager.
-	docker build -t ${IMG} .
+docker-build:  ## Build docker image with the manager.
+	docker build -t ${OPERATOR_IMAGE} .
 
 docker-push: ## Push docker image with the manager.
-	docker push ${IMG}
+	docker push ${OPERATOR_IMAGE}
 
 ##@ Deployment
 
-install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
+install: manifests kustomize install-authorino ## Install CRDs into the K8s cluster specified in ~/.kube/config.
+	kubectl apply -f $(OPERATOR_MANIFESTS)
 
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl delete -f -
+	kubectl delete -f $(OPERATOR_MANIFESTS)
 
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${OPERATOR_IMAGE}
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
+	# rollback kustomize edit
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${DEFAULT_OPERATOR_IMAGE}
+
 
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
+install-authorino: kustomize ## install RBAC and CRD for authorino
+	kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/install/manifests.yaml
 
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1)
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.1)
 
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.
 	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/[email protected])
 
+ENVTEST = $(shell pwd)/bin/setup-envtest
+envtest: ## Download envtest-setup locally if necessary.
+	$(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
 # go-get-tool will 'go get' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-get-tool
@@ -146,7 +158,7 @@ endef
 .PHONY: bundle
 bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
 	operator-sdk generate kustomize manifests -q
-	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
+	cd config/manager && $(KUSTOMIZE) edit set image controller=$(OPERATOR_IMAGE)
 	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	operator-sdk bundle validate ./bundle
 

PROJECT

@@ -1,9 +1,20 @@
-domain: authorino.3scale.net
+domain: authorino.kuadrant.io
 layout:
 - go.kubebuilder.io/v3
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
 projectName: authorino-operator
 repo: github.com/kuadrant/authorino-operator
+resources:
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: authorino.kuadrant.io
+  group: authorino-operator
+  kind: Authorino
+  path: github.com/kuadrant/authorino-operator/api/v1beta1
+  version: v1beta1
+  plural: authorinos
 version: "3"

api/v1beta1/authorino_types.go

@@ -0,0 +1,148 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	k8score "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+type ConditionType string
+
+const (
+	// ConditionReady specifies that the resource is ready
+	ConditionReady         ConditionType = "Ready"
+	AuthorinoContainerName string        = "authorino"
+
+	// Authorino EnvVars
+	WatchNamespace           string = "WATCH_NAMESPACE"
+	ExtAuthGRPCPort          string = "EXT_AUTH_GRPC_PORT"
+	EnvVarTlsCert            string = "TLS_CERT"
+	EnvVarTlsCertKey         string = "TLS_CERT_KEY"
+	OIDCHTTPPort             string = "OIDC_HTTP_PORT"
+	EnvVarOidcTlsCertPath    string = "OIDC_TLS_CERT"
+	EnvVarOidcTlsCertKeyPath string = "OIDC_TLS_CERT_KEY"
+	AuthConfigLabelSelector  string = "AUTH_CONFIG_LABEL_SELECTOR"
+	SecretLabelSelector      string = "SECRET_LABEL_SELECTOR"
+
+	// Authorino TLS file paths
+	DefaultTlsCertPath        string = "/etc/ssl/certs/tls.crt"
+	DefaultTlsCertKeyPath     string = "/etc/ssl/private/tls.key"
+	DefaultOidcTlsCertPath    string = "/etc/ssl/certs/oidc.crt"
+	DefaultOidcTlsCertKeyPath string = "/etc/ssl/private/oidc.key"
+
+	AuthorinoVersion string = "latest"
+)
+
+type Condition struct {
+	// Type of condition
+	Type ConditionType `json:"type"`
+	// Status of the condition, one of True, False, Unknown.
+	Status k8score.ConditionStatus `json:"status"`
+	// Last time the condition transit from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+	// (brief) reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty"`
+	// Last time the condition was updated
+	// +optional
+	LastUpdatedTime *metav1.Time `json:"lastUpdatedTime,omitempty"`
+}
+
+// AuthorinoSpec defines the desired state of Authorino
+type AuthorinoSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	Image                    string     `json:"image,omitempty"`
+	Replicas                 *int32     `json:"replicas,omitempty"`
+	ImagePullPolicy          string     `json:"imagePullPolicy,omitempty"`
+	ClusterWide              bool       `json:"clusterWide,omitempty"`
+	Listener                 Listener   `json:"listener,omitempty"`
+	OIDCServer               OIDCServer `json:"oidcServer,omitempty"`
+	AuthConfigLabelSelectors string     `json:"authConfigLabelSelectors,omitempty"`
+	SecretLabelSelectors     string     `json:"secretLabelSelectors,omitempty"`
+}
+
+type Listener struct {
+	Port *int32 `json:"port,omitempty"`
+	Tls  Tls    `json:"tls,omitempty"`
+}
+
+type OIDCServer struct {
+	Port *int32 `json:"port,omitempty"`
+	Tls  Tls    `json:"tls,omitempty"`
+}
+
+type Tls struct {
+	Enabled    *bool                         `json:"enabled,omitempty"`
+	CertSecret *k8score.LocalObjectReference `json:"certSecretRef,omitempty"`
+}
+
+// AuthorinoStatus defines the observed state of Authorino
+type AuthorinoStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	//  Defines if the authorino intance is ready
+	Ready bool `json:"ready"`
+
+	// Reports an error during the deployment of an instance
+	LastError string `json:"lastError"`
+
+	// Conditions is an array of the current Authorino's CR conditions
+	// Supported condition types: ConditionReady
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:path="authorinos"
+
+// Authorino is the Schema for the authorinos API
+type Authorino struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AuthorinoSpec   `json:"spec,omitempty"`
+	Status AuthorinoStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AuthorinoList contains a list of Authorino
+type AuthorinoList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Authorino `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Authorino{}, &AuthorinoList{})
+}

api/v1beta1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains API Schema definitions for the authorino-operator v1beta1 API group
+//+kubebuilder:object:generate=true
+//+groupName=operator.authorino.kuadrant.io
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "operator.authorino.kuadrant.io", Version: "v1beta1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)