Adding mTLS kuadrant installation mode

api/v1beta1/kuadrant_types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1beta1
 
 import (
+	"reflect"
+
 	"github.com/go-logr/logr"
 	"github.com/google/go-cmp/cmp"
 	"github.com/kuadrant/policy-machinery/machinery"
@@ -35,6 +37,7 @@ var (
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason`,priority=2
+//+kubebuilder:printcolumn:name="mTLS",type=boolean,JSONPath=".status.mtls"
 //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
 // Kuadrant configures installations of Kuadrant Service Protection components
@@ -48,19 +51,35 @@ type Kuadrant struct {
 
 var _ machinery.Object = &Kuadrant{}
 
-func (p *Kuadrant) GetLocator() string {
-	return machinery.LocatorFromObject(p)
+func (k *Kuadrant) GetLocator() string {
+	return machinery.LocatorFromObject(k)
+}
+
+func (k *Kuadrant) IsMTLSEnabled() bool {
+	if k == nil {
+		return false
+	}
+	return k.Spec.MTLS != nil && k.Spec.MTLS.Enable
 }
 
 // KuadrantSpec defines the desired state of Kuadrant
 type KuadrantSpec struct {
 	Observability Observability `json:"observability,omitempty"`
+	// +optional
+	// MTLS is an optional entry which when enabled is set to true, kuadrant-operator
+	// will add the configuration required to enable mTLS between an Istio provided
+	// gateway and the Kuadrant components.
+	MTLS *MTLS `json:"mtls,omitempty"`
 }
 
 type Observability struct {
 	Enable bool `json:"enable,omitempty"`
 }
 
+type MTLS struct {
+	Enable bool `json:"enable,omitempty"`
+}
+
 // KuadrantStatus defines the observed state of Kuadrant
 type KuadrantStatus struct {
 	// ObservedGeneration reflects the generation of the most recently observed spec.
@@ -74,6 +93,10 @@ type KuadrantStatus struct {
 	// +listType=map
 	// +listMapKey=type
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+
+	// Mtls reflects the mtls feature state.
+	// +optional
+	Mtls *bool `json:"mtls,omitempty"`
 }
 
 func (r *KuadrantStatus) Equals(other *KuadrantStatus, logger logr.Logger) bool {
@@ -83,6 +106,12 @@ func (r *KuadrantStatus) Equals(other *KuadrantStatus, logger logr.Logger) bool
 		return false
 	}
 
+	if !reflect.DeepEqual(r.Mtls, other.Mtls) {
+		diff := cmp.Diff(r.Mtls, other.Mtls)
+		logger.V(1).Info("Mtls not equal", "difference", diff)
+		return false
+	}
+
 	// Marshalling sorts by condition type
 	currentMarshaledJSON, _ := kuadrant.ConditionMarshal(r.Conditions)
 	otherMarshaledJSON, _ := kuadrant.ConditionMarshal(other.Conditions)

api/v1beta1/topology.go

@@ -6,12 +6,14 @@ import (
 	"github.com/kuadrant/policy-machinery/controller"
 	"github.com/kuadrant/policy-machinery/machinery"
 	"github.com/samber/lo"
+	appsv1 "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/kuadrant/kuadrant-operator/internal/kuadrant"
 	observability "github.com/kuadrant/kuadrant-operator/internal/observability"
+	"github.com/kuadrant/kuadrant-operator/internal/utils"
 )
 
 var (
@@ -20,6 +22,9 @@ var (
 
 	LimitadorsResource = limitadorv1alpha1.GroupVersion.WithResource("limitadors")
 	AuthorinosResource = authorinooperatorv1beta1.GroupVersion.WithResource("authorinos")
+
+	DeploymentGroupKind = appsv1.SchemeGroupVersion.WithKind("Deployment").GroupKind()
+	DeploymentsResource = appsv1.SchemeGroupVersion.WithResource("deployments")
 )
 
 func LinkKuadrantToGatewayClasses(objs controller.Store) machinery.LinkFunc {
@@ -66,6 +71,23 @@ func LinkKuadrantToAuthorino(objs controller.Store) machinery.LinkFunc {
 	}
 }
 
+func LinkLimitadorToDeployment(objs controller.Store) machinery.LinkFunc {
+	limitadors := utils.Map(objs.FilterByGroupKind(LimitadorGroupKind), ControllerObjectToMachineryObject)
+
+	return machinery.LinkFunc{
+		From: LimitadorGroupKind,
+		To:   DeploymentGroupKind,
+		Func: func(deployment machinery.Object) []machinery.Object {
+			return lo.Filter(limitadors, func(limitador machinery.Object, _ int) bool {
+				// the name of the deployment is hardcoded. This deployment is owned by the limitador operator.
+				// This Link is used to inject pod template label to the deployment.
+				// labels propagation pattern would be more reliable as the kuadrant operator would be owning these labels
+				return limitador.GetNamespace() == deployment.GetNamespace() && deployment.GetName() == "limitador-limitador"
+			})
+		},
+	}
+}
+
 func LinkKuadrantToServiceMonitor(objs controller.Store) machinery.LinkFunc {
 	kuadrants := lo.Map(objs.FilterByGroupKind(KuadrantGroupKind), controller.ObjectAs[machinery.Object])
 
@@ -103,3 +125,10 @@ func LinkKuadrantToPodMonitor(objs controller.Store) machinery.LinkFunc {
 		},
 	}
 }
+
+func ControllerObjectToMachineryObject(cObj controller.Object) machinery.Object {
+	if mObj, ok := cObj.(machinery.Object); ok {
+		return mObj
+	}
+	return &controller.RuntimeObject{Object: cObj}
+}

api/v1beta1/topology_test.go

@@ -0,0 +1,69 @@
+//go:build unit
+
+package v1beta1
+
+import (
+	"testing"
+
+	limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
+	"github.com/kuadrant/policy-machinery/controller"
+	"github.com/kuadrant/policy-machinery/machinery"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	appsv1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestLinkLimitadorToDeployment(t *testing.T) {
+	t.Run("empty store", func(subT *testing.T) {
+		link := LinkLimitadorToDeployment(controller.Store{})
+		assert.Equal(subT, link.From, LimitadorGroupKind)
+		assert.Equal(subT, link.To, DeploymentGroupKind)
+		assert.Assert(subT, is.Len(link.Func(testDeployment("ns1", "foo")), 0))
+	})
+
+	t.Run("basic", func(subT *testing.T) {
+		store := controller.Store{}
+		store["limitador1"] = testLimitador("ns1", "limitador1")
+		store["limitador2"] = testLimitador("ns2", "limitador2")
+		link := LinkLimitadorToDeployment(store)
+		parents := link.Func(testDeployment("ns1", "limitador-limitador"))
+		assert.Assert(subT, is.Len(parents, 1))
+		assert.Equal(subT, parents[0].GetName(), "limitador1")
+		assert.Equal(subT, parents[0].GetNamespace(), "ns1")
+		parents = link.Func(testDeployment("ns1", "foo"))
+		assert.Assert(subT, is.Len(parents, 0))
+		parents = link.Func(testDeployment("ns2", "limitador-limitador"))
+		assert.Assert(subT, is.Len(parents, 1))
+		assert.Equal(subT, parents[0].GetName(), "limitador2")
+		assert.Equal(subT, parents[0].GetNamespace(), "ns2")
+	})
+}
+
+func testDeployment(ns, name string) machinery.Object {
+	return &controller.RuntimeObject{
+		Object: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       DeploymentGroupKind.Kind,
+				APIVersion: appsv1.SchemeGroupVersion.String(),
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: ns,
+			},
+		},
+	}
+}
+
+func testLimitador(ns, name string) controller.Object {
+	return &limitadorv1alpha1.Limitador{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       LimitadorGroupKind.Kind,
+			APIVersion: limitadorv1alpha1.GroupVersion.String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+}

bundle/manifests/kuadrant-operator.clusterserviceversion.yaml

@@ -109,7 +109,7 @@ metadata:
     capabilities: Basic Install
     categories: Integration & Delivery
     containerImage: quay.io/kuadrant/kuadrant-operator:latest
-    createdAt: "2025-03-13T20:05:27Z"
+    createdAt: "2025-04-04T09:59:20Z"
     description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system
     operators.operatorframework.io/builder: operator-sdk-v1.33.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
@@ -422,6 +422,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - security.istio.io
+          resources:
+          - peerauthentications
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         serviceAccountName: kuadrant-operator-controller-manager
       deployments:
       - label:

bundle/manifests/kuadrant.io_kuadrants.yaml

@@ -21,6 +21,9 @@ spec:
       name: Status
       priority: 2
       type: string
+    - jsonPath: .status.mtls
+      name: mTLS
+      type: boolean
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -50,6 +53,15 @@ spec:
           spec:
             description: KuadrantSpec defines the desired state of Kuadrant
             properties:
+              mtls:
+                description: |-
+                  MTLS is an optional entry which when enabled is set to true, kuadrant-operator
+                  will add the configuration required to enable mTLS between an Istio provided
+                  gateway and the Kuadrant components.
+                properties:
+                  enable:
+                    type: boolean
+                type: object
               observability:
                 properties:
                   enable:
@@ -121,6 +133,9 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              mtls:
+                description: Mtls reflects the mtls feature state.
+                type: boolean
               observedGeneration:
                 description: ObservedGeneration reflects the generation of the most
                   recently observed spec.

charts/kuadrant-operator/templates/manifests.yaml

@@ -8074,6 +8074,9 @@ spec:
       name: Status
       priority: 2
       type: string
+    - jsonPath: .status.mtls
+      name: mTLS
+      type: boolean
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
@@ -8103,6 +8106,15 @@ spec:
           spec:
             description: KuadrantSpec defines the desired state of Kuadrant
             properties:
+              mtls:
+                description: |-
+                  MTLS is an optional entry which when enabled is set to true, kuadrant-operator
+                  will add the configuration required to enable mTLS between an Istio provided
+                  gateway and the Kuadrant components.
+                properties:
+                  enable:
+                    type: boolean
+                type: object
               observability:
                 properties:
                   enable:
@@ -8174,6 +8186,9 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              mtls:
+                description: Mtls reflects the mtls feature state.
+                type: boolean
               observedGeneration:
                 description: ObservedGeneration reflects the generation of the most
                   recently observed spec.
@@ -9364,6 +9379,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - peerauthentications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

cmd/main.go

@@ -32,6 +32,8 @@ import (
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	istioextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
 	istionetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
+	istiosecurity "istio.io/client-go/pkg/apis/security/v1"
+
 	corev1 "k8s.io/api/core/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
@@ -78,6 +80,7 @@ func init() {
 	utilruntime.Must(egv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(consolev1.AddToScheme(scheme))
 	utilruntime.Must(monitoringv1.AddToScheme(scheme))
+	utilruntime.Must(istiosecurity.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 
 	logger := log.NewLogger(