Configurable Tornjak CRD manager

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>

Author: Alan-Cha

charts/spire/charts/spire-server/templates/tornjak-config.yaml

@@ -40,11 +40,13 @@ data:
       }
     {{- end }}
 
+    {{- if .Values.tornjak.config.crdManager.enabled }}
       SPIRECRDManager {
         plugin_data {
           classname = "{{ .Values.controllerManager.className }}"
         }
       }
+    {{- end }}
 
     {{- if ne .Values.tornjak.config.userManagement.issuer "" }}
       Authenticator "Keycloak" {
@@ -53,48 +55,6 @@ data:
           audience = "{{ .Values.tornjak.config.userManagement.audience }}"
         }
       }
-
-      Authorizer "RBAC" {
-        plugin_data {
-          name = "Admin Viewer Policy"
-          role "admin" { desc = "admin person" }
-          role "viewer" { desc = "viewer person" }
-          # this special character role is reserved for allowing all authenticated persons
-          role "" { desc = "authenticated person" }
-
-          # home tornjak backend api allowed with any successful authentication
-          API "/" { allowed_roles = [""] }
-          # allowed with successful authentication and either admin or viewer role
-          # v1 API
-          APIv1 "GET /api/v1/spire/serverinfo" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "GET /api/v1/spire/healthcheck" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "GET /api/v1/spire/agents" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "DELETE /api/v1/spire/agents" { allowed_roles = ["admin"] }
-          APIv1 "POST /api/v1/spire/agents/ban" { allowed_roles = ["admin"] }
-          APIv1 "POST /api/v1/spire/agents/jointoken" { allowed_roles = ["admin"] }
-          APIv1 "GET /api/v1/spire/entries" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "POST /api/v1/spire/entries" { allowed_roles = ["admin"] }
-          APIv1 "DELETE /api/v1/spire/entries" { allowed_roles = ["admin"] }
-
-          # SPIRE Federation API calls
-          APIv1 "GET /api/v1/spire/bundle" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "GET /api/v1/spire/federations/bundles" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "POST /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
-          APIv1 "PATCH /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
-          APIv1 "DELETE /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
-
-          # Tornjak API calls
-          APIv1 "GET /api/v1/tornjak/serverinfo" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "GET /api/v1/tornjak/agents" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "POST /api/v1/tornjak/selectors" { allowed_roles = ["admin"] }
-          APIv1 "GET /api/v1/tornjak/selectors" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "GET /api/v1/tornjak/clusters" { allowed_roles = ["admin", "viewer"] }
-          APIv1 "POST /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
-          APIv1 "PATCH /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
-          APIv1 "DELETE /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
-        }
-      }
-
     {{- end }}
     }
 {{- end }}

charts/spire/charts/spire-server/values.yaml

@@ -546,7 +546,7 @@ controllerManager:
 
   ## @param controllerManager.className specify to use an explicit class name. If empty, it will be automatically set to Release.Namespace-Release.Name to not conflict with other installs, enabling parallel installs.
   className: ""
-  
+
   ## @param controllerManager.watchClassless specify to process custom resources without class name specified. Useful to slowly migrate to class names from classless installs. Do not have two installs on the same k8s cluster both set to true.
   watchClassless: false
 
@@ -1139,6 +1139,10 @@ tornjak:
       ## @param tornjak.config.clientCA.name Name of the resource secret or configMap with user CA for TLS
       name: tornjak-client-ca
 
+    crdManager:
+      ## @param tornjak.config.crdManager.enabled Allow the Tornjak CRD manager to start
+      enabled: true
+
   ## @param tornjak.resources [object] Resource requests and limits
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious