From 481a746e54e5dea78ec8861fbef8c2fed6cc75c5 Mon Sep 17 00:00:00 2001 From: taohe1012 <88763781+taohe1012@users.noreply.github.com> Date: Fri, 12 Aug 2022 10:43:55 +0800 Subject: [PATCH] enable authorization for csm observability powerscale (#135) --- .../templates/karavi-metrics-powerflex.yaml | 2 +- .../templates/karavi-metrics-powerscale.yaml | 50 +++++++++++++++++++ charts/karavi-observability/values.yaml | 14 ++++++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml index 891b1cf9..8e8a8ae4 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml @@ -75,7 +75,7 @@ spec: env: - name: PROXY_HOST value: "{{ .Values.karaviMetricsPowerflex.authorization.proxyHost }}" - - name: INSECURE + - name: SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.karaviMetricsPowerflex.authorization.skipCertificateValidation }}" - name: PLUGIN_IDENTIFIER value: powerflex diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml index 7ab5f113..1caf0682 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml @@ -26,6 +26,12 @@ metadata: labels: app.kubernetes.io/name: karavi-metrics-powerscale app.kubernetes.io/instance: {{ .Release.Name }} + {{- if hasKey .Values "karaviMetricsPowerscale.authorization" }} + {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} spec: selector: matchLabels: @@ -61,6 +67,37 @@ spec: readOnly: true - name: karavi-metrics-powerscale-configmap mountPath: /etc/config + {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }} + {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: IfNotPresent + image: {{ required "Must provide the authorization sidecar container image." .Values.karaviMetricsPowerscale.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.karaviMetricsPowerscale.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.karaviMetricsPowerscale.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerscale + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: isilon-proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: isilon-proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: isilon-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} volumes: - name: isilon-creds secret: @@ -74,6 +111,19 @@ spec: - name: karavi-metrics-powerscale-configmap configMap: name: karavi-metrics-powerscale-configmap + {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }} + {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: isilon-karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: isilon-proxy-server-root-certificate + - name: isilon-config-params + configMap: + name: isilon-config-params + {{ end }} + {{ end }} restartPolicy: Always status: {} diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index dcebb4c9..65dbf200 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -113,6 +113,20 @@ karaviMetricsPowerscale: # set isiLogVerbose to 0/1/2 decide High/Medium/Low content of the OneFS REST API message should be logged in debug level logs # default isiLogVerbose: 0 to log full content of the HTTP request and response isiLogVerbose: 0 + authorization: + enabled: false + # sidecarProxyImage: the container image used for the csm-authorization-sidecar. + # Default value: dellemc/csm-authorization-sidecar:v1.3.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.3.0 + # proxyHost: hostname of the csm-authorization server + # Default value: None + proxyHost: + # skipCertificateValidation: certificate validation of the csm-authorization server + # Allowed Values: + # "true" - TLS certificate verification will be skipped + # "false" - TLS certificate will be verified + # Default value: "true" + skipCertificateValidation: true otelCollector: image: otel/opentelemetry-collector:0.42.0