Pulumi: Support creating arbitrary CRs via infra stack

Part of #1078

[static]

Signed-off-by: Martin Florian <martin.florian@digitalasset.com>

Author: martinflorian-da

cluster/deployment/mock/config.yaml

@@ -117,3 +117,19 @@ svs:
       kms:
         keyRingId: sv-3_participant_mock
         locationId: us-central1
+extraCustomResources:
+  sv-1-deny-onboard-prepare-endpoint:
+    apiVersion: security.istio.io/v1
+    kind: AuthorizationPolicy
+    metadata:
+      name: deny-onboard-prepare-endpoint
+      namespace: sv-1
+    spec:
+      selector:
+        matchLabels:
+          app: sv-app
+      action: DENY
+      rules:
+        - to:
+            - operation:
+                paths: ["/api/sv/v0/devnet/onboard/validator/prepare"]

cluster/expected/infra/expected.json

@@ -2928,6 +2928,42 @@
     "provider": "",
     "type": "kubernetes:core/v1:Secret"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "apiVersion": "security.istio.io/v1",
+      "kind": "AuthorizationPolicy",
+      "metadata": {
+        "name": "deny-onboard-prepare-endpoint",
+        "namespace": "sv-1"
+      },
+      "spec": {
+        "action": "DENY",
+        "rules": [
+          {
+            "to": [
+              {
+                "operation": {
+                  "paths": [
+                    "/api/sv/v0/devnet/onboard/validator/prepare"
+                  ]
+                }
+              }
+            ]
+          }
+        ],
+        "selector": {
+          "matchLabels": {
+            "app": "sv-app"
+          }
+        }
+      }
+    },
+    "name": "sv-1-deny-onboard-prepare-endpoint",
+    "provider": "",
+    "type": "kubernetes:security.istio.io/v1:AuthorizationPolicy"
+  },
   {
     "custom": true,
     "id": "",

cluster/pulumi/infra/src/config.ts

@@ -55,6 +55,7 @@ export const InfraConfigSchema = z.object({
     }),
   }),
   monitoring: MonitoringConfigSchema,
+  extraCustomResources: z.object({}).catchall(z.any()).default({}),
 });
 
 export type Config = z.infer<typeof InfraConfigSchema>;
@@ -72,6 +73,7 @@ console.error(
 
 export const infraConfig = fullConfig.infra;
 export const monitoringConfig = fullConfig.monitoring;
+export const extraCustomResourcesConfig = fullConfig.extraCustomResources;
 
 type IpRangesDict = { [key: string]: IpRangesDict } | string[];
 

cluster/pulumi/infra/src/extraCustomResources.ts

@@ -0,0 +1,9 @@
+import * as k8s from '@pulumi/kubernetes';
+
+export function installExtraCustomResources(
+  extraCrs: Record<string, k8s.apiextensions.CustomResourceArgs>
+): void {
+  Object.entries(extraCrs).forEach(([name, spec]) => {
+    new k8s.apiextensions.CustomResource(name, spec);
+  });
+}

cluster/pulumi/infra/src/index.ts

@@ -5,7 +5,13 @@ import { config } from 'splice-pulumi-common';
 
 import { clusterIsResetPeriodically, enableAlerts } from './alertings';
 import { configureAuth0 } from './auth0';
-import { clusterBaseDomain, clusterBasename, monitoringConfig } from './config';
+import {
+  clusterBaseDomain,
+  clusterBasename,
+  extraCustomResourcesConfig,
+  monitoringConfig,
+} from './config';
+import { installExtraCustomResources } from './extraCustomResources';
 import {
   getNotificationChannel,
   installCloudSQLMaintenanceUpdateAlerts,
@@ -40,6 +46,8 @@ istioMonitoring(network.ingressNs, []);
 
 configureStorage();
 
+installExtraCustomResources(extraCustomResourcesConfig);
+
 let configuredAuth0;
 if (config.envFlag('CLUSTER_CONFIGURE_AUTH0', true)) {
   configuredAuth0 = configureAuth0(clusterBasename, network.dnsNames);