Kuadrant · mikenairn · Feb 2, 2022 · Jan 27, 2022 · Jan 26, 2022 · eguzki
@@ -64,6 +64,9 @@ jobs:
       - name: Run make install
         run: |
           make install
+      - name: Run make istio-install
+        run: |
+          make istio-install
       - name: Load test image
         run: |
           kind load docker-image ${{ env.TEST_IMG }} --name ${{ env.KIND_CLUSTER_NAME }}
@@ -72,7 +75,10 @@ jobs:
           make deploy
       - name: Wait for deployment
         run: |
-          kubectl -n kuadrant-operator-system wait --timeout=300s --for=condition=Available deployments --all
+          kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+      - name: Run make istio-install-with-patch
+        run: |
+          make istio-install-with-patch
       # Note: This doesn't run any actual tests yet!
       - name: Run make undeploy
         run: |

@@ -176,6 +176,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/deploy | kubectl apply -f -
+	${MAKE} post-deploy-hacks
 
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/deploy | kubectl delete -f -
@@ -190,10 +191,20 @@ uninstall-olm:
 
 deploy-olm: ## Deploy controller to the K8s cluster specified in ~/.kube/config using OLM catalog image.
 	$(KUSTOMIZE) build config/deploy/olm | kubectl apply -f -
+	${MAKE} post-deploy-hacks
 
 undeploy-olm: ## Undeploy controller from the K8s cluster specified in ~/.kube/config using OLM catalog image.
 	$(KUSTOMIZE) build config/deploy/olm | kubectl delete -f -
 
+#This target is temporary to aid dev/test of the operator. Eventually it will be the responsibility of the
+# operator itself to create/configure these things as part of the reconciliation of a kuadrant CR.
+post-deploy-hacks:
+	# Wait for deployment to complete
+	timeout 60s bash -c 'until kubectl -n kuadrant-system get deployments/kuadrant-operator-controller-manager; do sleep 10; done;'
+	kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+	kubectl apply -f config/dependencies/istio/default-gateway.yaml -n kuadrant-system
+	kubectl apply -f config/dependencies/authorino/authorino.yaml -n kuadrant-system
+
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/[email protected])

@@ -209,38 +209,26 @@ spec:
           - create
         serviceAccountName: kuadrant-operator-controller-manager
       deployments:
-      - name: kuadrant-operator-controller-manager
+      - name: kuadrant-controller-manager
         spec:
           replicas: 1
           selector:
             matchLabels:
+              app: kuadrant
               control-plane: controller-manager
           strategy: {}
           template:
             metadata:
               labels:
+                app: kuadrant
                 control-plane: controller-manager
             spec:
               containers:
               - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources: {}
-              - args:
-                - --health-probe-bind-address=:8081
-                - --metrics-bind-address=127.0.0.1:8080
-                - --leader-elect
+                - --config=controller_manager_config.yaml
                 command:
                 - /manager
-                image: quay.io/kuadrant/kuadrant-operator:latest
+                image: quay.io/kuadrant/kuadrant-controller:latest
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -256,37 +244,68 @@ spec:
                   periodSeconds: 10
                 resources:
                   limits:
-                    cpu: 200m
-                    memory: 100Mi
+                    cpu: 100m
+                    memory: 30Mi
                   requests:
                     cpu: 100m
                     memory: 20Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                volumeMounts:
+                - mountPath: /controller_manager_config.yaml
+                  name: manager-config
+                  subPath: controller_manager_config.yaml
+              - args:
+                - --secure-listen-address=0.0.0.0:8443
+                - --upstream=http://127.0.0.1:8080/
+                - --logtostderr=true
+                - --v=10
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+                name: kube-rbac-proxy
+                ports:
+                - containerPort: 8443
+                  name: https
+                resources: {}
               securityContext:
                 runAsNonRoot: true
-              serviceAccountName: kuadrant-operator-controller-manager
+              serviceAccountName: kuadrant-controller-manager
               terminationGracePeriodSeconds: 10
-      - name: kuadrant-controller-manager
+              volumes:
+              - configMap:
+                  name: kuadrant-manager-config
+                name: manager-config
+      - name: kuadrant-operator-controller-manager
         spec:
           replicas: 1
           selector:
             matchLabels:
-              app: kuadrant
               control-plane: controller-manager
           strategy: {}
           template:
             metadata:
               labels:
-                app: kuadrant
                 control-plane: controller-manager
             spec:
               containers:
               - args:
-                - --config=controller_manager_config.yaml
+                - --secure-listen-address=0.0.0.0:8443
+                - --upstream=http://127.0.0.1:8080/
+                - --logtostderr=true
+                - --v=10
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+                name: kube-rbac-proxy
+                ports:
+                - containerPort: 8443
+                  name: https
+                  protocol: TCP
+                resources: {}
+              - args:
+                - --health-probe-bind-address=:8081
+                - --metrics-bind-address=127.0.0.1:8080
+                - --leader-elect
                 command:
                 - /manager
-                image: quay.io/kuadrant/kuadrant-controller:latest
+                image: quay.io/kuadrant/kuadrant-operator:latest
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -302,36 +321,17 @@ spec:
                   periodSeconds: 10
                 resources:
                   limits:
-                    cpu: 100m
-                    memory: 30Mi
+                    cpu: 200m
+                    memory: 100Mi
                   requests:
                     cpu: 100m
                     memory: 20Mi
                 securityContext:
                   allowPrivilegeEscalation: false
-                volumeMounts:
-                - mountPath: /controller_manager_config.yaml
-                  name: manager-config
-                  subPath: controller_manager_config.yaml
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=10
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                resources: {}
               securityContext:
                 runAsNonRoot: true
-              serviceAccountName: kuadrant-controller-manager
+              serviceAccountName: kuadrant-operator-controller-manager
               terminationGracePeriodSeconds: 10
-              volumes:
-              - configMap:
-                  name: kuadrant-manager-config
-                name: manager-config
       permissions:
       - rules:
         - apiGroups:

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: kuadrant-operator-system
+namespace: kuadrant-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named

@@ -0,0 +1,14 @@
+apiVersion: operator.authorino.kuadrant.io/v1beta1
+kind: Authorino
+metadata:
+  name: authorino
+  namespace: kuadrant-system
+spec:
+  replicas: 1
+  clusterWide: false
+  listener:
+    tls:
+      enabled: false
+  oidcServer:
+    tls:
+      enabled: false
@@ -1,2 +1,5 @@
 resources:
 - github.com/Kuadrant/kuadrant-controller/config/default?ref=${KUADRANT_CONTROLLER_GITREF}
+
+patchesStrategicMerge:
+  - delete-ns.yaml
@@ -1,2 +1,5 @@
 resources:
 - github.com/Kuadrant/kuadrant-controller/config/default?ref=main
+
+patchesStrategicMerge:
+  - delete-ns.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: kuadrant-gateway
+  namespace: kuadrant-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
@@ -0,0 +1,9 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  meshConfig:
+    extensionProviders:
+      - name: "kuadrant-authorization"
+        envoyExtAuthzGrpc:
+          service: "authorino-authorino-authorization.kuadrant-system.svc.cluster.local"
+          port: 50051
@@ -1,11 +1,10 @@
-namespace: kuadrant-operator-system
+namespace: kuadrant-system
 
 resources:
   - controller
   - authorino
   - limitador
 
 patchesStrategicMerge:
-  - controller/delete-ns.yaml
   - authorino/delete-ns.yaml
   - limitador/delete-ns.yaml
@@ -1,4 +1,4 @@
-namespace: kuadrant-operator-system
+namespace: kuadrant-system
 
 resources:
   - ../default

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: kuadrant-operator-system
+namespace: kuadrant-system
 
 resources:
 - namespace.yaml

@@ -4,6 +4,6 @@ metadata:
   name: kuadrant
 spec:
   source: kuadrant-operator-catalog
-  sourceNamespace: kuadrant-operator-system
+  sourceNamespace: kuadrant-system
   name: kuadrant-operator
   channel: "alpha"
@@ -0,0 +1,42 @@
+
+##@ Istio
+
+## Targets to help install and configure istio
+
+ISTIO_PATCHES_DIR = config/dependencies/istio/patches
+ISTIO_NAMESPACE = istio-system
+ISTIO_INSTALL_OPTIONS ?= --set profile=default \
+	--set values.gateways.istio-ingressgateway.autoscaleEnabled=false \
+	--set values.pilot.autoscaleEnabled=false \
+	--set values.global.istioNamespace=$(ISTIO_NAMESPACE)
+
+# istioctl tool
+ISTIOCTL=$(shell pwd)/bin/istioctl
+ISTIOVERSION = 1.12.1
+$(ISTIOCTL):
+	mkdir -p $(PROJECT_PATH)/bin
+	$(eval TMP := $(shell mktemp -d))
+	cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh -
+	cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL}
+	-rm -rf $(TMP)
+
+.PHONY: istioctl
+istioctl: $(ISTIOCTL) ## Download istioctl locally if necessary.
+
+.PHONY: istio-install
+istio-install: istioctl ## Install istio.
+	$(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS)
+
+#Note: This target is here temporarily to aid dev/test of the operator. Eventually it will be the responsibility of the
+# operator itself to configure istio as part of the reconciliation of a kuadrant CR.
+.PHONY: istio-install-with-patch
+istio-install-with-patch: istioctl ## Install istio with patch to add authorino auth extension.
+	$(ISTIOCTL) install -y $(ISTIO_INSTALL_OPTIONS) -f $(ISTIO_PATCHES_DIR)/istio-externalProvider.yaml
+
+.PHONY: istio-uninstall
+istio-uninstall: istioctl ## Uninstall istio.
+	$(ISTIOCTL) x uninstall -y --purge
+
+.PHONY: istio-verify-install
+istio-verify-install: istioctl ## Verify istio installation.
+	$(ISTIOCTL) verify-install -i $(ISTIO_NAMESPACE)
@@ -19,9 +19,10 @@ kind-delete-cluster: ## Delete the "kuadrant-local" kind cluster.
 
 .PHONY: kind-create-kuadrant-cluster
 kind-create-kuadrant-cluster: export IMG := quay.io/kuadrant/kuadrant-operator:dev
-kind-create-kuadrant-cluster: kind-create-cluster ## Create a kind cluster with kuadrant deployed.
+kind-create-kuadrant-cluster: kind-create-cluster istio-install ## Create a kind cluster with kuadrant deployed.
 	$(MAKE) docker-build
 	$(KIND) load docker-image $(IMG) --name $(KIND_CLUSTER_NAME)
 	$(MAKE) install
 	$(MAKE) deploy
-	kubectl -n kuadrant-operator-system wait --timeout=300s --for=condition=Available deployments --all
+	kubectl -n kuadrant-system wait --timeout=300s --for=condition=Available deployments --all
+	$(MAKE) istio-install-with-patch