Initial Airlock Microgateway Implementation

.editorconfig

@@ -31,3 +31,4 @@ indent_size = unset
 indent_style = unset
 insert_final_newline = unset
 trim_trailing_whitespace = unset
+

.gitignore

@@ -13,3 +13,5 @@
 /_public
 
 # Additional entries
+/jsonnetfile.json
+/olm

.yamllint.yml

@@ -22,3 +22,4 @@ ignore: |
   manifests/
   vendor/
   compiled/
+  00_gateway_api/

class/airlock-microgateway.yml

@@ -1,11 +1,94 @@
 parameters:
-  kapitan:
-    compile:
-      - input_paths:
-          - ${_base_directory}/component/app.jsonnet
-        input_type: jsonnet
-        output_path: .
-      - input_paths:
-          - ${_base_directory}/component/main.jsonnet
+  =_helm_chart_name: "microgateway"
+  =_release_name: "airlock-microgateway"
+  =_kapitan:
+    k8s_gw_api:
+      'True':
+        input_paths:
+          - ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+        input_type: copy
+        output_path: airlock-microgateway/00_prerequisites/00_gateway_api/
+      'False':
+        input_paths: []
         input_type: jsonnet
-        output_path: airlock-microgateway/
+        output_path: ''
+    olm:
+      dependencies:
+        - type: https
+          source: ${airlock_microgateway:gateway_api:source}
+          output_path: ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+      compile:
+        - input_paths:
+            - ${_base_directory}/component/app.jsonnet
+          input_type: jsonnet
+          output_path: .
+
+        - input_paths:
+            - ${_base_directory}/component/namespace.jsonnet
+          input_type: jsonnet
+          output_path: airlock-microgateway/00_prerequisites/
+
+        - input_paths:
+            - ${_base_directory}/component/olm.jsonnet
+          input_type: jsonnet
+          output_path: airlock-microgateway/01_olm/
+          # If multi-tenant:
+          # output_path: ${_instance}/olm/
+        - ${_kapitan:k8s_gw_api:${airlock_microgateway:gateway_api:enabled}}
+        - input_paths:
+            - ${_base_directory}/component/main.jsonnet
+          input_type: jsonnet
+          output_path: airlock-microgateway/00_prerequisites/
+
+    helm:
+      dependencies:
+        - type: https
+          source: ${airlock_microgateway:gateway_api:source}
+          output_path: ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+        - type: helm
+          chart_name: ${_helm_chart_name}
+          version: ${airlock_microgateway:charts:${_helm_chart_name}:version}
+          source: ${airlock_microgateway:charts:${_helm_chart_name}:source}
+          output_path: ${_base_directory}/helmcharts/airlock-microgateway/${airlock_microgateway:charts:${_helm_chart_name}:version}/
+
+      compile:
+        - input_paths:
+            - ${_base_directory}/component/app.jsonnet
+          input_type: jsonnet
+          output_path: .
+
+        # - input_paths: ${_kapitan:jsonnet_input_paths}
+        #   input_type: jsonnet
+        #   output_path: ${_instance}/
+
+        - input_paths:
+            - ${_base_directory}/component/namespace.jsonnet
+          input_type: jsonnet
+          output_path: airlock-microgateway/00_prerequisites/
+        - ${_kapitan:k8s_gw_api:${airlock_microgateway:gateway_api:enabled}}
+        - input_paths:
+            - ${_base_directory}/component/render-helm-values.jsonnet
+          input_type: jsonnet
+          output_path: ${_base_directory}/helm_values/
+        - output_path: airlock-microgateway/01_airlock-microgateway_helmchart/
+          input_type: helm
+          output_type: yaml
+          input_paths:
+            - ${_base_directory}/helmcharts/airlock-microgateway/${airlock_microgateway:charts:${_helm_chart_name}:version}/
+          helm_params:
+            name: ${_release_name}
+            namespace: ${airlock_microgateway:namespace}
+          helm_values_files:
+            - ${_base_directory}/helm_values/values.yaml
+        - input_paths:
+            - ${_base_directory}/component/main.jsonnet
+          input_type: jsonnet
+          output_path: airlock-microgateway/00_prerequisites/
+        - input_paths:
+            - ${_base_directory}/helm_values/
+          input_type: remove
+          output_path: .
+
+
+  kapitan:
+    ${_kapitan:${airlock_microgateway:install_method}}

class/defaults.yml

@@ -1,5 +1,50 @@
 parameters:
   airlock_microgateway:
     =_metadata:
-      multi_tenant: true
+      multi_tenant: false
     namespace: syn-airlock-microgateway
+
+    # Possible values: "helm", "olm"
+    install_method: helm
+
+    license: ""
+
+    network_policy:
+      namespace_selector:
+        matchLabels:
+          'appuio.ch/waf': 'airlock'
+
+    gateway_api:
+      # Installs upstream Kubernetes Gateway API if true
+      enabled: true
+      # Kubernetes Gateway API version
+      version: "v1.2.1"
+      # Upstream Kubernetes Gateway API source
+      source: https://github.com/kubernetes-sigs/gateway-api/releases/download/${airlock_microgateway:gateway_api:version}/standard-install.yaml
+
+    # See Airlock docs: https://docs.airlock.com/microgateway/4.5/index/1726159368039.html
+    helm_values:
+      operator:
+        gatewayAPI:
+          enabled: true
+          podMonitor:
+            create: true
+            labels:
+              release: "kube-prometheus-stack"
+        serviceMonitor:
+          create: true
+          labels:
+            release: "kube-prometheus-stack"
+      dashboards:
+        create: true
+
+    olm:
+      version: "4.5.2"
+      channel: "release-${airlock_microgateway:olm:version}"
+      config:
+        create_pod_monitor: true
+
+    charts:
+      microgateway:
+        version: "4.5.2"
+        source: "oci://quay.io/airlockcharts/microgateway"

component/main.jsonnet

@@ -5,6 +5,31 @@ local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.airlock_microgateway;
 
+local license_secret = kube.Secret('airlock-microgateway-license') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  data_: {
+    'microgateway-license.txt': params.license,
+  },
+};
+
+local net_pol = kube.NetworkPolicy('allow-from-waf-namespaces') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  spec: {
+    ingress: [{
+      from: [{
+        namespaceSelector: params.network_policy.namespace_selector,
+      }],
+    }],
+    policyTypes: ['Ingress'],
+  },
+};
+
 // Define outputs below
 {
+  '01_license_secret': license_secret,
+  '01_network_policy': net_pol,
 }

component/namespace.jsonnet

@@ -0,0 +1,24 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local util = import 'util.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.airlock_microgateway;
+
+local additionalOpenshiftMeta =
+  if util.isOpenshift then
+    {
+      labels+: {
+        'openshift.io/cluster-monitoring': 'true',
+      },
+    }
+  else
+    {};
+
+// Define outputs below
+{
+  '00_namespace': kube.Namespace(params.namespace) {
+    metadata+: additionalOpenshiftMeta,
+  },
+}

component/olm.jsonnet

@@ -0,0 +1,44 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local operatorlib = import 'lib/openshift4-operators.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.airlock_microgateway;
+
+local operator_group = operatorlib.OperatorGroup('airlock-microgateway') {
+  metadata+: {
+    annotations+: {
+      'argocd.argoproj.io/sync-wave': '-90',
+    },
+    namespace: params.namespace,
+  },
+};
+
+local operator_subscription = operatorlib.namespacedSubscription(
+  params.namespace,
+  'airlock-microgateway',
+  params.olm.channel,
+  'certified-operators'
+) {
+  metadata+: {
+    annotations+: {
+      'argocd.argoproj.io/sync-wave': '-80',
+    },
+  },
+  spec+: {
+    config+: {
+      env: [
+        {
+          name: 'GATEWAY_API_POD_MONITOR_CREATE',
+          value: '%s' % params.olm.config.create_pod_monitor,
+        },
+      ],
+    },
+  },
+};
+
+{
+  [if params.install_method == 'olm' then '10_operator_group']: operator_group,
+  [if params.install_method == 'olm' then '10_operator_subscription']: operator_subscription,
+}

component/render-helm-values.jsonnet

@@ -0,0 +1,10 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local inv = kap.inventory();
+local params = inv.parameters.airlock_microgateway;
+
+local helm_values = params.helm_values;
+
+{
+  values: helm_values,
+}

component/util.libsonnet

@@ -0,0 +1,11 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local inv = kap.inventory();
+
+local isOpenshift = std.member([ 'openshift4', 'oke' ], inv.parameters.facts.distribution);
+
+{
+  isOpenshift: isOpenshift,
+}

docs/modules/ROOT/pages/index.adoc

@@ -1,4 +1,4 @@
-= airlock-microgateway
+= Airlock Microgateway
 
 airlock-microgateway is a Commodore component to manage airlock-microgateway.
 

jsonnetfile.jsonnet

@@ -0,0 +1,15 @@
+{
+  version: 1,
+  dependencies: [
+    {
+      source: {
+        git: {
+          remote: 'https://github.com/projectsyn/jsonnet-libs',
+          subdir: '',
+        },
+      },
+      version: 'main',
+      name: 'syn',
+    },
+  ],
+}

tests/disable-gateway-api.yml

@@ -0,0 +1,6 @@
+# Overwrite parameters here
+
+parameters:
+  airlock_microgateway:
+    gateway_api:
+      enabled: false