dell · taohe1012 · Aug 12, 2022 · Aug 8, 2022
@@ -75,7 +75,7 @@ spec:
         env:
           - name: PROXY_HOST
             value: "{{ .Values.karaviMetricsPowerflex.authorization.proxyHost }}"
-          - name: INSECURE
+          - name: SKIP_CERTIFICATE_VALIDATION
             value: "{{ .Values.karaviMetricsPowerflex.authorization.skipCertificateValidation }}"
           - name: PLUGIN_IDENTIFIER
             value: powerflex

@@ -26,6 +26,12 @@ metadata:
   labels:
     app.kubernetes.io/name: karavi-metrics-powerscale
     app.kubernetes.io/instance: {{ .Release.Name }}
+  {{- if hasKey .Values "karaviMetricsPowerscale.authorization" }}
+  {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }}
+  annotations:
+    com.dell.karavi-authorization-proxy: "true"
+  {{ end }}
+  {{ end }}
 spec:
   selector:
     matchLabels:
@@ -61,6 +67,37 @@ spec:
           readOnly: true
         - name: karavi-metrics-powerscale-configmap
           mountPath: /etc/config
+      {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }}
+      {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }}
+      - name: karavi-authorization-proxy
+        imagePullPolicy: IfNotPresent
+        image: {{ required "Must provide the authorization sidecar container image." .Values.karaviMetricsPowerscale.authorization.sidecarProxyImage }}
+        env:
+          - name: PROXY_HOST
+            value: "{{ .Values.karaviMetricsPowerscale.authorization.proxyHost }}"
+          - name: SKIP_CERTIFICATE_VALIDATION
+            value: "{{ .Values.karaviMetricsPowerscale.authorization.skipCertificateValidation }}"
+          - name: PLUGIN_IDENTIFIER
+            value: powerscale
+          - name: ACCESS_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: isilon-proxy-authz-tokens
+                key: access
+          - name: REFRESH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: isilon-proxy-authz-tokens
+                key: refresh
+        volumeMounts:
+          - name: karavi-authorization-config
+            mountPath: /etc/karavi-authorization/config
+          - name: proxy-server-root-certificate
+            mountPath: /etc/karavi-authorization/root-certificates
+          - name: isilon-config-params
+            mountPath: /etc/karavi-authorization
+      {{ end }}
+      {{ end }}
       volumes:
       - name: isilon-creds
         secret:
@@ -74,6 +111,19 @@ spec:
       - name: karavi-metrics-powerscale-configmap
         configMap:
           name: karavi-metrics-powerscale-configmap
+     {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }}
+     {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }}
+      - name: karavi-authorization-config
+        secret:
+          secretName: isilon-karavi-authorization-config
+      - name: proxy-server-root-certificate
+        secret:
+          secretName: isilon-proxy-server-root-certificate
+      - name: isilon-config-params
+        configMap:
+          name: isilon-config-params
+      {{ end }}
+      {{ end }}
       restartPolicy: Always
 status: {}
 

@@ -113,6 +113,20 @@ karaviMetricsPowerscale:
     # set isiLogVerbose to 0/1/2 decide High/Medium/Low content of the OneFS REST API message should be logged in debug level logs
     # default isiLogVerbose: 0 to log full content of the HTTP request and response
     isiLogVerbose: 0
+  authorization:
+    enabled: false
+    # sidecarProxyImage: the container image used for the csm-authorization-sidecar.
+    # Default value: dellemc/csm-authorization-sidecar:v1.3.0
+    sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.3.0
+    # proxyHost: hostname of the csm-authorization server
+    # Default value: None
+    proxyHost:
+    # skipCertificateValidation: certificate validation of the csm-authorization server
+    # Allowed Values:
+    #   "true" - TLS certificate verification will be skipped
+    #   "false" - TLS certificate will be verified
+    # Default value: "true"
+    skipCertificateValidation: true
 
 otelCollector:
   image: otel/opentelemetry-collector:0.42.0