Add authorizer to Tornjak config

Alan-Cha · Alan-Cha · commit 5e67180810e9 · 2025-07-11T13:43:52.000-04:00
Signed-off-by: Alan Cha &lt;Alan.cha1@ibm.com&gt;
diff --git a/charts/spire/charts/spire-server/templates/tornjak-config.yaml b/charts/spire/charts/spire-server/templates/tornjak-config.yaml
@@ -53,6 +53,48 @@ data:
           audience = "{{ .Values.tornjak.config.userManagement.audience }}"
         }
       }
+
+      Authorizer "RBAC" {
+        plugin_data {
+          name = "Admin Viewer Policy"
+          role "admin" { desc = "admin person" }
+          role "viewer" { desc = "viewer person" }
+          # this special character role is reserved for allowing all authenticated persons
+          role "" { desc = "authenticated person" }
+
+          # home tornjak backend api allowed with any successful authentication
+          API "/" { allowed_roles = [""] }
+          # allowed with successful authentication and either admin or viewer role
+          # v1 API
+          APIv1 "GET /api/v1/spire/serverinfo" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "GET /api/v1/spire/healthcheck" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "GET /api/v1/spire/agents" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "DELETE /api/v1/spire/agents" { allowed_roles = ["admin"] }
+          APIv1 "POST /api/v1/spire/agents/ban" { allowed_roles = ["admin"] }
+          APIv1 "POST /api/v1/spire/agents/jointoken" { allowed_roles = ["admin"] }
+          APIv1 "GET /api/v1/spire/entries" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "POST /api/v1/spire/entries" { allowed_roles = ["admin"] }
+          APIv1 "DELETE /api/v1/spire/entries" { allowed_roles = ["admin"] }
+
+          # SPIRE Federation API calls
+          APIv1 "GET /api/v1/spire/bundle" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "GET /api/v1/spire/federations/bundles" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "POST /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
+          APIv1 "PATCH /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
+          APIv1 "DELETE /api/v1/spire/federations/bundles" { allowed_roles = ["admin"] }
+
+          # Tornjak API calls
+          APIv1 "GET /api/v1/tornjak/serverinfo" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "GET /api/v1/tornjak/agents" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "POST /api/v1/tornjak/selectors" { allowed_roles = ["admin"] }
+          APIv1 "GET /api/v1/tornjak/selectors" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "GET /api/v1/tornjak/clusters" { allowed_roles = ["admin", "viewer"] }
+          APIv1 "POST /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
+          APIv1 "PATCH /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
+          APIv1 "DELETE /api/v1/tornjak/clusters" { allowed_roles = ["admin"] }
+        }
+      }
+
     {{- end }}
     }
 {{- end }}
