Skip to content

Commit

Permalink
feat: validate authorino operator crd is installed for auth policy st…
Browse files Browse the repository at this point in the history
…atus

Signed-off-by: KevFan <[email protected]>
  • Loading branch information
KevFan committed Nov 15, 2024
1 parent 1fb7fbb commit 31901ee
Show file tree
Hide file tree
Showing 3 changed files with 85 additions and 36 deletions.
7 changes: 6 additions & 1 deletion controllers/auth_policies_validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ import (
kuadrant "github.com/kuadrant/kuadrant-operator/pkg/kuadrant"
)

type AuthPolicyValidator struct{}
type AuthPolicyValidator struct {
isAuthorinoOperatorInstalled bool
}

// AuthPolicyValidator subscribes to events with potential to flip the validity of auth policies
func (r *AuthPolicyValidator) Subscription() controller.Subscription {
Expand All @@ -41,6 +43,9 @@ func (r *AuthPolicyValidator) Validate(ctx context.Context, _ []controller.Resou
defer logger.V(1).Info("finished validating auth policies")

state.Store(StateAuthPolicyValid, lo.SliceToMap(policies, func(policy machinery.Policy) (string, error) {
if !r.isAuthorinoOperatorInstalled {
return policy.GetLocator(), kuadrant.NewErrDependencyNotInstalled("Authorino Operator")
}
var err error
if len(policy.GetTargetRefs()) > 0 && len(topology.Targetables().Children(policy)) == 0 {
ref := policy.GetTargetRefs()[0]
Expand Down
4 changes: 2 additions & 2 deletions controllers/data_plane_policies_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,10 @@ var (
//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update

func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled, isLimitadorOperatorInstalled bool) *controller.Workflow {
func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled, isLimitadorOperatorInstalled, isAuthorinoOperatorInstalled bool) *controller.Workflow {
dataPlanePoliciesValidation := &controller.Workflow{
Tasks: []controller.ReconcileFunc{
(&AuthPolicyValidator{}).Subscription().Reconcile,
(&AuthPolicyValidator{isAuthorinoOperatorInstalled: isAuthorinoOperatorInstalled}).Subscription().Reconcile,
(&RateLimitPolicyValidator{isLimitadorOperatorInstalled: isLimitadorOperatorInstalled}).Subscription().Reconcile,
},
}
Expand Down
110 changes: 77 additions & 33 deletions controllers/state_of_the_world.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,23 +112,6 @@ func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.D
controller.WithPredicates(&ctrlruntimepredicate.TypedGenerationChangedPredicate[*corev1.ConfigMap]{}),
controller.FilterResourcesByLabel[*corev1.ConfigMap](fmt.Sprintf("%s=true", kuadrant.TopologyLabel)),
)),
// TODO: Move as boot options for Limitador and Authorino as there can be a possibility that the operators are not installed
controller.WithRunnable("limitador watcher", controller.Watch(
&limitadorv1alpha1.Limitador{},
kuadrantv1beta1.LimitadorsResource,
metav1.NamespaceAll,
)),
controller.WithRunnable("authorino watcher", controller.Watch(
&authorinooperatorv1beta1.Authorino{},
kuadrantv1beta1.AuthorinosResource,
metav1.NamespaceAll,
)),
controller.WithRunnable("authconfig watcher", controller.Watch(
&authorinov1beta3.AuthConfig{},
authorino.AuthConfigsResource,
metav1.NamespaceAll,
controller.FilterResourcesByLabel[*authorinov1beta3.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
)),
controller.WithPolicyKinds(
kuadrantv1.DNSPolicyGroupKind,
kuadrantv1.TLSPolicyGroupKind,
Expand All @@ -138,15 +121,9 @@ func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.D
controller.WithObjectKinds(
kuadrantv1beta1.KuadrantGroupKind,
ConfigMapGroupKind,
kuadrantv1beta1.LimitadorGroupKind,
kuadrantv1beta1.AuthorinoGroupKind,
authorino.AuthConfigGroupKind,
),
controller.WithObjectLinks(
kuadrantv1beta1.LinkKuadrantToGatewayClasses,
kuadrantv1beta1.LinkKuadrantToLimitador,
kuadrantv1beta1.LinkKuadrantToAuthorino,
authorino.LinkHTTPRouteRuleToAuthConfig,
),
}

Expand Down Expand Up @@ -174,12 +151,14 @@ type BootOptionsBuilder struct {
client *dynamic.DynamicClient

// Internal configurations
isGatewayAPIInstalled bool
isEnvoyGatewayInstalled bool
isIstioInstalled bool
isCertManagerInstalled bool
isConsolePluginInstalled bool
isDNSOperatorInstalled bool
isGatewayAPIInstalled bool
isEnvoyGatewayInstalled bool
isIstioInstalled bool
isCertManagerInstalled bool
isConsolePluginInstalled bool
isDNSOperatorInstalled bool
isLimitadorOperatorInstalled bool
isAuthorinoOperatorInstalled bool
}

func (b *BootOptionsBuilder) getOptions() []controller.ControllerOption {
Expand All @@ -190,6 +169,8 @@ func (b *BootOptionsBuilder) getOptions() []controller.ControllerOption {
opts = append(opts, b.getCertManagerOptions()...)
opts = append(opts, b.getConsolePluginOptions()...)
opts = append(opts, b.getDNSOperatorOptions()...)
opts = append(opts, b.getLimitadorOperatorOptions()...)
opts = append(opts, b.getAuthorinoOperatorOptions()...)

return opts
}
Expand Down Expand Up @@ -252,7 +233,6 @@ func (b *BootOptionsBuilder) getEnvoyGatewayOptions() []controller.ControllerOpt
envoygateway.LinkGatewayToEnvoyExtensionPolicy,
),
)
// TODO: add specific tasks to workflow
}

return opts
Expand Down Expand Up @@ -287,7 +267,6 @@ func (b *BootOptionsBuilder) getIstioOptions() []controller.ControllerOption {
istio.LinkGatewayToWasmPlugin,
),
)
// TODO: add istio specific tasks to workflow
}

return opts
Expand Down Expand Up @@ -327,7 +306,7 @@ func (b *BootOptionsBuilder) getConsolePluginOptions() []controller.ControllerOp
func (b *BootOptionsBuilder) getDNSOperatorOptions() []controller.ControllerOption {
var opts []controller.ControllerOption
var err error
b.isDNSOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantdnsv1alpha1.GroupVersion.Group, "DNSRecord", kuadrantdnsv1alpha1.GroupVersion.Version)
b.isDNSOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), DNSRecordGroupKind.Group, DNSRecordGroupKind.Kind, kuadrantdnsv1alpha1.GroupVersion.Version)
if err != nil || !b.isDNSOperatorInstalled {
b.logger.Info("dns operator is not installed, skipping related watches and reconcilers", "err", err)
} else {
Expand All @@ -348,6 +327,71 @@ func (b *BootOptionsBuilder) getDNSOperatorOptions() []controller.ControllerOpti
return opts
}

func (b *BootOptionsBuilder) getLimitadorOperatorOptions() []controller.ControllerOption {
var opts []controller.ControllerOption
var err error
b.isLimitadorOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantv1beta1.LimitadorGroupKind.Group, kuadrantv1beta1.LimitadorGroupKind.Kind, limitadorv1alpha1.GroupVersion.Version)
if err != nil || !b.isLimitadorOperatorInstalled {
b.logger.Info("limitador operator is not installed, skipping related watches and reconcilers", "err", err)
} else {
opts = append(opts,
controller.WithRunnable("limitador watcher", controller.Watch(
&limitadorv1alpha1.Limitador{},
kuadrantv1beta1.LimitadorsResource,
metav1.NamespaceAll,
)),
controller.WithObjectKinds(
kuadrantv1beta1.LimitadorGroupKind,
),
controller.WithObjectLinks(
kuadrantv1beta1.LinkKuadrantToLimitador,
),
)
}

return opts
}

func (b *BootOptionsBuilder) getAuthorinoOperatorOptions() []controller.ControllerOption {
var opts []controller.ControllerOption
var err error
b.isAuthorinoOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantv1beta1.AuthorinoGroupKind.Group, kuadrantv1beta1.AuthorinoGroupKind.Kind, authorinooperatorv1beta1.GroupVersion.Version)
if err != nil || !b.isAuthorinoOperatorInstalled {
b.logger.Info("authorino operator is not installed, skipping related watches and reconcilers", "err", err)
return opts
}

b.isAuthorinoOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), authorino.AuthConfigGroupKind.Group, authorino.AuthConfigGroupKind.Kind, authorinov1beta3.GroupVersion.Version)
if err != nil || !b.isAuthorinoOperatorInstalled {
b.logger.Info("authorino operator is not installed, skipping related watches and reconcilers", "err", err)
return opts
}

opts = append(opts,
controller.WithRunnable("authorino watcher", controller.Watch(
&authorinooperatorv1beta1.Authorino{},
kuadrantv1beta1.AuthorinosResource,
metav1.NamespaceAll,
)),
controller.WithRunnable("authconfig watcher", controller.Watch(
&authorinov1beta3.AuthConfig{},
authorino.AuthConfigsResource,
metav1.NamespaceAll,
controller.FilterResourcesByLabel[*authorinov1beta3.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)),
)),
controller.WithObjectKinds(
kuadrantv1beta1.AuthorinoGroupKind,
authorino.AuthConfigGroupKind,
),
controller.WithObjectLinks(
kuadrantv1beta1.LinkKuadrantToAuthorino,
authorino.LinkHTTPRouteRuleToAuthConfig,
),
)

return opts
}

func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc {
mainWorkflow := &controller.Workflow{
Precondition: initWorkflow(b.client).Run,
Expand All @@ -356,7 +400,7 @@ func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc {
NewLimitadorReconciler(b.client).Subscription().Reconcile,
NewDNSWorkflow(b.client, b.manager.GetScheme(), b.isDNSOperatorInstalled).Run,
NewTLSWorkflow(b.client, b.manager.GetScheme(), b.isCertManagerInstalled).Run,
NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run,
NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled, b.isLimitadorOperatorInstalled, b.isAuthorinoOperatorInstalled).Run,
NewKuadrantStatusUpdater(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Subscription().Reconcile,
},
Postcondition: finalStepsWorkflow(b.client, b.isIstioInstalled, b.isGatewayAPIInstalled).Run,
Expand Down

0 comments on commit 31901ee

Please sign in to comment.