Skip to content

Adding mTLS kuadrant installation mode #1170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 26 commits into from
Apr 9, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
85c4a60
adding mtls config
laurafitzgerald Feb 20, 2025
9825e36
move istio check to before the reconciler
laurafitzgerald Feb 26, 2025
a2f852f
move limitador and authorino installed checks to reconciler initialis…
laurafitzgerald Feb 26, 2025
7815995
refactor to add some cleanup logic and adding logic to link deploymen…
laurafitzgerald Mar 6, 2025
be5cae0
moving envoyfilter management to auth and rate limit reconcilers, som…
laurafitzgerald Mar 12, 2025
861a1cc
cleanup of restmapper and variables
laurafitzgerald Mar 12, 2025
fc865ad
rebase and fixup and imports
laurafitzgerald Mar 12, 2025
7b7dff8
updating bundle and chart
laurafitzgerald Mar 12, 2025
f102bd6
update sample kuadrant to default to not enable mtls
laurafitzgerald Mar 12, 2025
54826b7
fixing up some issues after rebase
laurafitzgerald Mar 21, 2025
43459bb
improved logic around ismtls and creating peerauthentication
laurafitzgerald Mar 24, 2025
063c472
remove limitador conition
laurafitzgerald Mar 24, 2025
66767b6
adding PeerAuthentication to schema for tests
laurafitzgerald Mar 31, 2025
ff67e2d
set LinkDeploymentToLimitador, unset LinkDeploymentToAuthorino
eguzki Apr 2, 2025
3218402
authorino_reconciler.go: update logging level of traces
eguzki Apr 2, 2025
88db720
api/v1beta1/topology.go: LinkLimitadorToDeployment unittests
eguzki Apr 2, 2025
ead00f7
authorino_istio_integration_reconciler
eguzki Apr 2, 2025
5c81403
istio_peerauthentication_reconciler
eguzki Apr 2, 2025
73a79aa
limitador_istio_integration_reconciler
eguzki Apr 2, 2025
8acf925
split mtls_reconciler into several reconcilers
eguzki Apr 2, 2025
6d6edd7
revert changes from config/samples/kuadrant_v1beta1_kuadrant.yaml
eguzki Apr 3, 2025
f563167
kuadrant CRD: additional printer column mtls
eguzki Apr 4, 2025
e23a4a6
internal/utils/map_utils.go: MergeMapStringString and unittests
eguzki Apr 7, 2025
74e6557
mtls: integration tests
eguzki Apr 7, 2025
bade7f5
mtls: link kuadrant to peerauthentication
eguzki Apr 8, 2025
8514c5d
s/AuthorionIsReady/AuthorinoIsReady/g
eguzki Apr 9, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 31 additions & 2 deletions api/v1beta1/kuadrant_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ limitations under the License.
package v1beta1

import (
"reflect"

"github.com/go-logr/logr"
"github.com/google/go-cmp/cmp"
"github.com/kuadrant/policy-machinery/machinery"
Expand All @@ -35,6 +37,7 @@ var (
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
//+kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason`,priority=2
//+kubebuilder:printcolumn:name="mTLS",type=boolean,JSONPath=".status.mtls"
//+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

// Kuadrant configures installations of Kuadrant Service Protection components
Expand All @@ -48,19 +51,35 @@ type Kuadrant struct {

var _ machinery.Object = &Kuadrant{}

func (p *Kuadrant) GetLocator() string {
return machinery.LocatorFromObject(p)
func (k *Kuadrant) GetLocator() string {
return machinery.LocatorFromObject(k)
}

func (k *Kuadrant) IsMTLSEnabled() bool {
if k == nil {
return false
}
return k.Spec.MTLS != nil && k.Spec.MTLS.Enable
}

// KuadrantSpec defines the desired state of Kuadrant
type KuadrantSpec struct {
Observability Observability `json:"observability,omitempty"`
// +optional
// MTLS is an optional entry which when enabled is set to true, kuadrant-operator
// will add the configuration required to enable mTLS between an Istio provided
// gateway and the Kuadrant components.
MTLS *MTLS `json:"mtls,omitempty"`
}

type Observability struct {
Enable bool `json:"enable,omitempty"`
}

type MTLS struct {
Enable bool `json:"enable,omitempty"`
}

// KuadrantStatus defines the observed state of Kuadrant
type KuadrantStatus struct {
// ObservedGeneration reflects the generation of the most recently observed spec.
Expand All @@ -74,6 +93,10 @@ type KuadrantStatus struct {
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`

// Mtls reflects the mtls feature state.
// +optional
Mtls *bool `json:"mtls,omitempty"`
}

func (r *KuadrantStatus) Equals(other *KuadrantStatus, logger logr.Logger) bool {
Expand All @@ -83,6 +106,12 @@ func (r *KuadrantStatus) Equals(other *KuadrantStatus, logger logr.Logger) bool
return false
}

if !reflect.DeepEqual(r.Mtls, other.Mtls) {
diff := cmp.Diff(r.Mtls, other.Mtls)
logger.V(1).Info("Mtls not equal", "difference", diff)
return false
}

// Marshalling sorts by condition type
currentMarshaledJSON, _ := kuadrant.ConditionMarshal(r.Conditions)
otherMarshaledJSON, _ := kuadrant.ConditionMarshal(other.Conditions)
Expand Down
29 changes: 29 additions & 0 deletions api/v1beta1/topology.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@ import (
"github.com/kuadrant/policy-machinery/controller"
"github.com/kuadrant/policy-machinery/machinery"
"github.com/samber/lo"
appsv1 "k8s.io/api/apps/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"

"github.com/kuadrant/kuadrant-operator/internal/kuadrant"
observability "github.com/kuadrant/kuadrant-operator/internal/observability"
"github.com/kuadrant/kuadrant-operator/internal/utils"
)

var (
Expand All @@ -20,6 +22,9 @@ var (

LimitadorsResource = limitadorv1alpha1.GroupVersion.WithResource("limitadors")
AuthorinosResource = authorinooperatorv1beta1.GroupVersion.WithResource("authorinos")

DeploymentGroupKind = appsv1.SchemeGroupVersion.WithKind("Deployment").GroupKind()
DeploymentsResource = appsv1.SchemeGroupVersion.WithResource("deployments")
)

func LinkKuadrantToGatewayClasses(objs controller.Store) machinery.LinkFunc {
Expand Down Expand Up @@ -66,6 +71,23 @@ func LinkKuadrantToAuthorino(objs controller.Store) machinery.LinkFunc {
}
}

func LinkLimitadorToDeployment(objs controller.Store) machinery.LinkFunc {
limitadors := utils.Map(objs.FilterByGroupKind(LimitadorGroupKind), ControllerObjectToMachineryObject)

return machinery.LinkFunc{
From: LimitadorGroupKind,
To: DeploymentGroupKind,
Func: func(deployment machinery.Object) []machinery.Object {
return lo.Filter(limitadors, func(limitador machinery.Object, _ int) bool {
// the name of the deployment is hardcoded. This deployment is owned by the limitador operator.
// This Link is used to inject pod template label to the deployment.
// labels propagation pattern would be more reliable as the kuadrant operator would be owning these labels
return limitador.GetNamespace() == deployment.GetNamespace() && deployment.GetName() == "limitador-limitador"
})
},
}
}

func LinkKuadrantToServiceMonitor(objs controller.Store) machinery.LinkFunc {
kuadrants := lo.Map(objs.FilterByGroupKind(KuadrantGroupKind), controller.ObjectAs[machinery.Object])

Expand Down Expand Up @@ -103,3 +125,10 @@ func LinkKuadrantToPodMonitor(objs controller.Store) machinery.LinkFunc {
},
}
}

func ControllerObjectToMachineryObject(cObj controller.Object) machinery.Object {
if mObj, ok := cObj.(machinery.Object); ok {
return mObj
}
return &controller.RuntimeObject{Object: cObj}
}
69 changes: 69 additions & 0 deletions api/v1beta1/topology_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
//go:build unit

package v1beta1

import (
"testing"

limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
"github.com/kuadrant/policy-machinery/controller"
"github.com/kuadrant/policy-machinery/machinery"
"gotest.tools/assert"
is "gotest.tools/assert/cmp"
appsv1 "k8s.io/api/apps/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestLinkLimitadorToDeployment(t *testing.T) {
t.Run("empty store", func(subT *testing.T) {
link := LinkLimitadorToDeployment(controller.Store{})
assert.Equal(subT, link.From, LimitadorGroupKind)
assert.Equal(subT, link.To, DeploymentGroupKind)
assert.Assert(subT, is.Len(link.Func(testDeployment("ns1", "foo")), 0))
})

t.Run("basic", func(subT *testing.T) {
store := controller.Store{}
store["limitador1"] = testLimitador("ns1", "limitador1")
store["limitador2"] = testLimitador("ns2", "limitador2")
link := LinkLimitadorToDeployment(store)
parents := link.Func(testDeployment("ns1", "limitador-limitador"))
assert.Assert(subT, is.Len(parents, 1))
assert.Equal(subT, parents[0].GetName(), "limitador1")
assert.Equal(subT, parents[0].GetNamespace(), "ns1")
parents = link.Func(testDeployment("ns1", "foo"))
assert.Assert(subT, is.Len(parents, 0))
parents = link.Func(testDeployment("ns2", "limitador-limitador"))
assert.Assert(subT, is.Len(parents, 1))
assert.Equal(subT, parents[0].GetName(), "limitador2")
assert.Equal(subT, parents[0].GetNamespace(), "ns2")
})
}

func testDeployment(ns, name string) machinery.Object {
return &controller.RuntimeObject{
Object: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: DeploymentGroupKind.Kind,
APIVersion: appsv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
},
}
}

func testLimitador(ns, name string) controller.Object {
return &limitadorv1alpha1.Limitador{
TypeMeta: metav1.TypeMeta{
Kind: LimitadorGroupKind.Kind,
APIVersion: limitadorv1alpha1.GroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
}
}
27 changes: 26 additions & 1 deletion api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/kuadrant-operator:latest
createdAt: "2025-03-13T20:05:27Z"
createdAt: "2025-04-04T09:59:20Z"
description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system
operators.operatorframework.io/builder: operator-sdk-v1.33.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down Expand Up @@ -422,6 +422,18 @@ spec:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthentications
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
serviceAccountName: kuadrant-operator-controller-manager
deployments:
- label:
Expand Down
15 changes: 15 additions & 0 deletions bundle/manifests/kuadrant.io_kuadrants.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ spec:
name: Status
priority: 2
type: string
- jsonPath: .status.mtls
name: mTLS
type: boolean
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
Expand Down Expand Up @@ -50,6 +53,15 @@ spec:
spec:
description: KuadrantSpec defines the desired state of Kuadrant
properties:
mtls:
description: |-
MTLS is an optional entry which when enabled is set to true, kuadrant-operator
will add the configuration required to enable mTLS between an Istio provided
gateway and the Kuadrant components.
properties:
enable:
type: boolean
type: object
observability:
properties:
enable:
Expand Down Expand Up @@ -121,6 +133,9 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
mtls:
description: Mtls reflects the mtls feature state.
type: boolean
observedGeneration:
description: ObservedGeneration reflects the generation of the most
recently observed spec.
Expand Down
27 changes: 27 additions & 0 deletions charts/kuadrant-operator/templates/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8074,6 +8074,9 @@ spec:
name: Status
priority: 2
type: string
- jsonPath: .status.mtls
name: mTLS
type: boolean
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
Expand Down Expand Up @@ -8103,6 +8106,15 @@ spec:
spec:
description: KuadrantSpec defines the desired state of Kuadrant
properties:
mtls:
description: |-
MTLS is an optional entry which when enabled is set to true, kuadrant-operator
will add the configuration required to enable mTLS between an Istio provided
gateway and the Kuadrant components.
properties:
enable:
type: boolean
type: object
observability:
properties:
enable:
Expand Down Expand Up @@ -8174,6 +8186,9 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
mtls:
description: Mtls reflects the mtls feature state.
type: boolean
observedGeneration:
description: ObservedGeneration reflects the generation of the most
recently observed spec.
Expand Down Expand Up @@ -9364,6 +9379,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthentications
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down
3 changes: 3 additions & 0 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ import (
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
istioextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
istionetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
istiosecurity "istio.io/client-go/pkg/apis/security/v1"

corev1 "k8s.io/api/core/v1"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
k8sruntime "k8s.io/apimachinery/pkg/runtime"
Expand Down Expand Up @@ -78,6 +80,7 @@ func init() {
utilruntime.Must(egv1alpha1.AddToScheme(scheme))
utilruntime.Must(consolev1.AddToScheme(scheme))
utilruntime.Must(monitoringv1.AddToScheme(scheme))
utilruntime.Must(istiosecurity.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme

logger := log.NewLogger(
Expand Down
Loading
Loading