Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding mtls config #1170

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

adding mtls config #1170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4e6fb19
adding mtls config
laurafitzgerald Feb 20, 2025
f1041c0
move istio check to before the reconciler
laurafitzgerald Feb 26, 2025
be62733
move limitador and authorino installed checks to reconciler initialis…
laurafitzgerald Feb 26, 2025
2255bfe
refactor to add some cleanup logic and adding logic to link deploymen…
laurafitzgerald Mar 6, 2025
ad026cf
moving envoyfilter management to auth and rate limit reconcilers, som…
laurafitzgerald Mar 12, 2025
5befbd4
cleanup of restmapper and variables
laurafitzgerald Mar 12, 2025
c6cf2c2
rebase and fixup and imports
laurafitzgerald Mar 12, 2025
d5a3b11
updating bundle and chart
laurafitzgerald Mar 12, 2025
27bca0a
update sample kuadrant to default to not enable mtls
laurafitzgerald Mar 12, 2025
7b3986f
fixing up some issues after rebase
laurafitzgerald Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions api/v1beta1/kuadrant_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,17 @@ func (p *Kuadrant) GetLocator() string {
// KuadrantSpec defines the desired state of Kuadrant
type KuadrantSpec struct {
Observability Observability `json:"observability,omitempty"`
MTLS *MTLS `json:"mtls,omitempty"`
}

type Observability struct {
Enable bool `json:"enable,omitempty"`
}

type MTLS struct {
Enable bool `json:"enable,omitempty"`
}

Comment on lines +65 to +68
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some point can you add a comment to what the mtls struct is for. The comment gets added to the CRD definition as a description. You will also need to run make manifest , bundle and helm at some point.

// KuadrantStatus defines the observed state of Kuadrant
type KuadrantStatus struct {
// ObservedGeneration reflects the generation of the most recently observed spec.
Expand Down
33 changes: 31 additions & 2 deletions api/v1beta1/topology.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ import (
)

var (
LimitadorGroupKind = schema.GroupKind{Group: limitadorv1alpha1.GroupVersion.Group, Kind: "Limitador"}
AuthorinoGroupKind = schema.GroupKind{Group: authorinooperatorv1beta1.GroupVersion.Group, Kind: "Authorino"}
LimitadorGroupKind = schema.GroupKind{Group: limitadorv1alpha1.GroupVersion.Group, Kind: "Limitador"}
AuthorinoGroupKind = schema.GroupKind{Group: authorinooperatorv1beta1.GroupVersion.Group, Kind: "Authorino"}
DeploymentGroupKind = metav1.SchemeGroupVersion.WithKind("Deployment").GroupKind()

LimitadorsResource = limitadorv1alpha1.GroupVersion.WithResource("limitadors")
AuthorinosResource = authorinooperatorv1beta1.GroupVersion.WithResource("authorinos")
Expand Down Expand Up @@ -66,6 +67,34 @@ func LinkKuadrantToAuthorino(objs controller.Store) machinery.LinkFunc {
}
}

func LinkAuthorinoToDeployment(objs controller.Store) machinery.LinkFunc {
authorinos := lo.Map(objs.FilterByGroupKind(AuthorinoGroupKind), controller.ObjectAs[machinery.Object])

return machinery.LinkFunc{
From: AuthorinoGroupKind,
To: DeploymentGroupKind,
Func: func(child machinery.Object) []machinery.Object {
return lo.Filter(authorinos, func(k machinery.Object, _ int) bool {
return k.GetNamespace() == child.GetNamespace() && child.GetName() == "authorino"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not very familiar with these linking functions. I still need to educate myself.

Question: child's type is Authorino, isn't it? Then, isn't this linking function linking all deployments in Authorino namespace to Authorino? even those that are not authorino deployment, like limitador deployment?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also new to them, the idea here, which may not be implemented correctly yet is that we link the authorino deployment, I'm uisng the GetName to isolate it, although I'd rather not hardcode, that needs to be fixed so that it's only that one that get's picked up and not all in the authorino namespace. AIUI this is to add it as a child of the Authorino cr in the topology.

})
},
}
}

func LinkLimitadorToDeployment(objs controller.Store) machinery.LinkFunc {
limitadors := lo.Map(objs.FilterByGroupKind(LimitadorGroupKind), controller.ObjectAs[machinery.Object])

return machinery.LinkFunc{
From: LimitadorGroupKind,
To: DeploymentGroupKind,
Func: func(child machinery.Object) []machinery.Object {
return lo.Filter(limitadors, func(k machinery.Object, _ int) bool {
return k.GetNamespace() == child.GetNamespace() && child.GetName() == "limitador"
})
},
}
}

func LinkKuadrantToServiceMonitor(objs controller.Store) machinery.LinkFunc {
kuadrants := lo.Map(objs.FilterByGroupKind(KuadrantGroupKind), controller.ObjectAs[machinery.Object])

Expand Down
22 changes: 21 additions & 1 deletion api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,18 @@ spec:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthenticators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
serviceAccountName: kuadrant-operator-controller-manager
deployments:
- label:
Expand Down
5 changes: 5 additions & 0 deletions bundle/manifests/kuadrant.io_kuadrants.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ spec:
spec:
description: KuadrantSpec defines the desired state of Kuadrant
properties:
mtls:
properties:
enable:
type: boolean
type: object
observability:
properties:
enable:
Expand Down
17 changes: 17 additions & 0 deletions charts/kuadrant-operator/templates/manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8103,6 +8103,11 @@ spec:
spec:
description: KuadrantSpec defines the desired state of Kuadrant
properties:
mtls:
properties:
enable:
type: boolean
type: object
observability:
properties:
enable:
Expand Down Expand Up @@ -9364,6 +9369,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthenticators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down
3 changes: 3 additions & 0 deletions cmd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ import (
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
istioextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
istionetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
istiosecurity "istio.io/client-go/pkg/apis/security/v1"

corev1 "k8s.io/api/core/v1"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
k8sruntime "k8s.io/apimachinery/pkg/runtime"
Expand Down Expand Up @@ -78,6 +80,7 @@ func init() {
utilruntime.Must(egv1alpha1.AddToScheme(scheme))
utilruntime.Must(consolev1.AddToScheme(scheme))
utilruntime.Must(monitoringv1.AddToScheme(scheme))
utilruntime.Must(istiosecurity.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme

logger := log.NewLogger(
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/kuadrant.io_kuadrants.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ spec:
spec:
description: KuadrantSpec defines the desired state of Kuadrant
properties:
mtls:
properties:
enable:
type: boolean
type: object
observability:
properties:
enable:
Expand Down
12 changes: 12 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,3 +266,15 @@ rules:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthenticators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
4 changes: 3 additions & 1 deletion config/samples/kuadrant_v1beta1_kuadrant.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,6 @@ apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
name: kuadrant-sample
spec: {}
spec:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the sample being shown in operatorhub web console. Do we want to add (optional) mtls config to it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we'd prefer not to i'm fine with that. My reasoning for adding it here is that in the verification steps i'm using kubectl patch kuadrant kuadrant-sample --type='json' -p='[{"op": "replace", "path": "/spec/mtls/enable", "value": false}]' as a quick way to switch it on and off for testing. But if this gets presented in the console where the description will show that it can be used optionally, i would agree it's best not to include it. I'll remove this before we merge.

mtls:
enable: false
47 changes: 45 additions & 2 deletions internal/controller/auth_workflow_helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,8 @@ func AuthClusterName(gatewayName string) string {
return fmt.Sprintf("kuadrant-auth-%s", gatewayName)
}

func authClusterPatch(host string, port int) map[string]any {
return map[string]any{
func authClusterPatch(host string, port int, mTLS bool) map[string]any {
patch := map[string]any{
"name": kuadrant.KuadrantAuthClusterName,
"type": "STRICT_DNS",
"connect_timeout": "1s",
Expand All @@ -89,6 +89,49 @@ func authClusterPatch(host string, port int) map[string]any {
},
},
}
if mTLS {
patch["transport_socket"] = map[string]interface{}{
"name": "envoy.transport_sockets.tls",
"typed_config": map[string]interface{}{
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"common_tls_context": map[string]interface{}{
"tls_certificate_sds_secret_configs": []interface{}{
map[string]interface{}{
"name": "default",
"sds_config": map[string]interface{}{
"api_config_source": map[string]interface{}{
"api_type": "GRPC",
"grpc_services": []interface{}{
map[string]interface{}{
"envoy_grpc": map[string]interface{}{
"cluster_name": "sds-grpc",
},
},
},
},
},
},
},
"validation_context_sds_secret_config": map[string]interface{}{
"name": "ROOTCA",
"sds_config": map[string]interface{}{
"api_config_source": map[string]interface{}{
"api_type": "GRPC",
"grpc_services": []interface{}{
map[string]interface{}{
"envoy_grpc": map[string]interface{}{
"cluster_name": "sds-grpc",
},
},
},
},
},
},
},
},
}
}
return patch
}

type authorinoServiceInfo struct {
Expand Down
2 changes: 1 addition & 1 deletion internal/controller/envoy_gateway_auth_cluster_reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ func (r *EnvoyGatewayAuthClusterReconciler) buildDesiredEnvoyPatchPolicy(authori
}

authorinoServiceInfo := authorinoServiceInfoFromAuthorino(authorino)
jsonPatches, err := kuadrantenvoygateway.BuildEnvoyPatchPolicyClusterPatch(kuadrant.KuadrantAuthClusterName, authorinoServiceInfo.Host, int(authorinoServiceInfo.Port), authClusterPatch)
jsonPatches, err := kuadrantenvoygateway.BuildEnvoyPatchPolicyClusterPatch(kuadrant.KuadrantAuthClusterName, authorinoServiceInfo.Host, int(authorinoServiceInfo.Port), false, authClusterPatch)
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion internal/controller/envoy_gateway_ratelimit_cluster_reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ func (r *EnvoyGatewayRateLimitClusterReconciler) buildDesiredEnvoyPatchPolicy(li
},
}

jsonPatches, err := kuadrantenvoygateway.BuildEnvoyPatchPolicyClusterPatch(kuadrant.KuadrantRateLimitClusterName, limitador.Status.Service.Host, int(limitador.Status.Service.Ports.GRPC), rateLimitClusterPatch)
jsonPatches, err := kuadrantenvoygateway.BuildEnvoyPatchPolicyClusterPatch(kuadrant.KuadrantRateLimitClusterName, limitador.Status.Service.Host, int(limitador.Status.Service.Ports.GRPC), false, rateLimitClusterPatch)
if err != nil {
return nil, err
}
Expand Down
10 changes: 7 additions & 3 deletions internal/controller/istio_auth_cluster_reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@ func (r *IstioAuthClusterReconciler) Reconcile(ctx context.Context, _ []controll
if kuadrant == nil {
return nil
}
mtls := false
if kuadrant != nil && kuadrant.Spec.MTLS != nil && kuadrant.Spec.MTLS.Enable {
mtls = true
}

authorinoObj, found := lo.Find(topology.Objects().Children(kuadrant), func(child machinery.Object) bool {
return child.GroupVersionKind().GroupKind() == kuadrantv1beta1.AuthorinoGroupKind
Expand Down Expand Up @@ -86,7 +90,7 @@ func (r *IstioAuthClusterReconciler) Reconcile(ctx context.Context, _ []controll
for _, gateway := range gateways {
gatewayKey := k8stypes.NamespacedName{Name: gateway.GetName(), Namespace: gateway.GetNamespace()}

desiredEnvoyFilter, err := r.buildDesiredEnvoyFilter(authorino, gateway)
desiredEnvoyFilter, err := r.buildDesiredEnvoyFilter(authorino, gateway, mtls)
if err != nil {
logger.Error(err, "failed to build desired envoy filter")
continue
Expand Down Expand Up @@ -156,7 +160,7 @@ func (r *IstioAuthClusterReconciler) Reconcile(ctx context.Context, _ []controll
return nil
}

func (r *IstioAuthClusterReconciler) buildDesiredEnvoyFilter(authorino *authorinooperatorv1beta1.Authorino, gateway *machinery.Gateway) (*istioclientgonetworkingv1alpha3.EnvoyFilter, error) {
func (r *IstioAuthClusterReconciler) buildDesiredEnvoyFilter(authorino *authorinooperatorv1beta1.Authorino, gateway *machinery.Gateway, mtls bool) (*istioclientgonetworkingv1alpha3.EnvoyFilter, error) {
envoyFilter := &istioclientgonetworkingv1alpha3.EnvoyFilter{
TypeMeta: metav1.TypeMeta{
Kind: kuadrantistio.EnvoyFilterGroupKind.Kind,
Expand Down Expand Up @@ -189,7 +193,7 @@ func (r *IstioAuthClusterReconciler) buildDesiredEnvoyFilter(authorino *authorin
}

authorinoServiceInfo := authorinoServiceInfoFromAuthorino(authorino)
configPatches, err := kuadrantistio.BuildEnvoyFilterClusterPatch(authorinoServiceInfo.Host, int(authorinoServiceInfo.Port), authClusterPatch)
configPatches, err := kuadrantistio.BuildEnvoyFilterClusterPatch(authorinoServiceInfo.Host, int(authorinoServiceInfo.Port), mtls, authClusterPatch)
if err != nil {
return nil, err
}
Expand Down
Loading
Loading