diff --git a/charts/authorino-operator/.helmignore b/charts/authorino-operator/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/authorino-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/authorino-operator/Chart.yaml b/charts/authorino-operator/Chart.yaml new file mode 100644 index 0000000..ed21516 --- /dev/null +++ b/charts/authorino-operator/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: authorino-operator +description: Kubernetes operator for managing Authorino instances, a K8s-native AuthN/AuthZ service to protect your APIs. +home: https://kuadrant.io +icon: https://raw.githubusercontent.com/Kuadrant/kuadrant.github.io/main/static/img/apple-touch-icon.png +keywords: + - authorino + - authn + - authz + - authorization + - authentication + - service protection + - kubernetes + - kuadrant +sources: + - https://github.com/Kuadrant/authorino-operator/ + - https://github.com/Kuadrant/authorino/ +kubeVersion: ">=1.19.0-0" +type: application +# The version will be properly set when the chart is released matching the operator version +version: "0.0.0" +maintainers: + - email: mcassola@redhat.com + name: Guilherme Cassolato + - email: didier@redhat.com + name: Didier Di Cesare + - email: eastizle@redhat.com + name: Eguzki Astiz Lezaun diff --git a/charts/authorino-operator/templates/manifests.yaml b/charts/authorino-operator/templates/manifests.yaml new file mode 100644 index 0000000..c9d2d29 --- /dev/null +++ b/charts/authorino-operator/templates/manifests.yaml @@ -0,0 +1,600 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: authorino-operator + name: authorino-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: authorinos.operator.authorino.kuadrant.io +spec: + group: operator.authorino.kuadrant.io + names: + kind: Authorino + listKind: AuthorinoList + plural: authorinos + singular: authorino + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Authorino is the Schema for the authorinos API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuthorinoSpec defines the desired state of Authorino + properties: + authConfigLabelSelectors: + type: string + clusterWide: + type: boolean + evaluatorCacheSize: + type: integer + healthz: + properties: + port: + description: Port number of the health/readiness probe endpoints. + format: int32 + type: integer + type: object + image: + type: string + imagePullPolicy: + description: PullPolicy describes a policy for if/when to pull a container + image + type: string + listener: + properties: + maxHttpRequestBodySize: + description: Maximum payload (request body) size for the auth + service (HTTP interface), in bytes. + type: integer + port: + description: 'Port number of the GRPC interface. DEPRECATED: use + ''ports.grpc'' instead.' + format: int32 + type: integer + ports: + description: Port numbers of the GRPC and HTTP auth interfaces. + properties: + grpc: + format: int32 + type: integer + http: + format: int32 + type: integer + type: object + timeout: + description: Timeout of the auth service (GRPC and HTTP interfaces), + in milliseconds. + type: integer + tls: + description: TLS configuration of the auth service (GRPC and HTTP + interfaces). + properties: + certSecretRef: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + enabled: + type: boolean + type: object + required: + - tls + type: object + logLevel: + type: string + logMode: + type: string + metrics: + properties: + deep: + type: boolean + port: + format: int32 + type: integer + type: object + oidcServer: + properties: + port: + format: int32 + type: integer + tls: + properties: + certSecretRef: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + enabled: + type: boolean + type: object + required: + - tls + type: object + replicas: + format: int32 + type: integer + secretLabelSelectors: + type: string + supersedingHostSubsets: + type: boolean + tracing: + properties: + endpoint: + type: string + insecure: + type: boolean + tags: + additionalProperties: + type: string + type: object + required: + - endpoint + type: object + volumes: + properties: + defaultMode: + description: Permissions mode. + format: int32 + type: integer + items: + items: + properties: + configMaps: + description: Allow multiple configmaps to mount to the same + directory + items: + type: string + type: array + items: + description: Mount details + items: + description: Maps a string key to a path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to + set permissions on this file. Must be an octal value + between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal values, + JSON requires decimal values for mode bits. If not + specified, the volume defaultMode will be used. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the file + to map the key to. May not be an absolute path. + May not contain the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + mountPath: + description: An absolute path where to mount it + type: string + name: + description: Volume name + type: string + secrets: + description: Secret mount + items: + type: string + type: array + required: + - mountPath + type: object + type: array + type: object + required: + - listener + - oidcServer + type: object + status: + description: AuthorinoStatus defines the observed state of Authorino + properties: + conditions: + description: 'Conditions is an array of the current Authorino''s CR + conditions Supported condition types: ConditionReady' + items: + properties: + lastTransitionTime: + description: Last time the condition transit from one status + to another. + format: date-time + type: string + lastUpdatedTime: + description: Last time the condition was updated + format: date-time + type: string + message: + description: Human readable message indicating details about + last transition. + type: string + reason: + description: (brief) reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authorino-operator + namespace: authorino-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: authorino-operator-leader-election + namespace: authorino-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-operator-manager +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - delete + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/finalizers + verbs: + - update +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: authorino-operator-leader-election + namespace: authorino-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: authorino-operator-leader-election +subjects: +- kind: ServiceAccount + name: authorino-operator + namespace: authorino-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: authorino-operator-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: authorino-operator-manager +subjects: +- kind: ServiceAccount + name: authorino-operator + namespace: authorino-operator +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: aac3a15d.authorino.kuadrant.io +kind: ConfigMap +metadata: + name: manager-config + namespace: authorino-operator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: authorino-operator + name: authorino-operator + namespace: authorino-operator +spec: + replicas: 1 + selector: + matchLabels: + control-plane: authorino-operator + template: + metadata: + labels: + control-plane: authorino-operator + spec: + containers: + - args: + - --leader-elect + command: + - /manager + image: quay.io/kuadrant/authorino-operator:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 300Mi + requests: + cpu: 200m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: authorino-operator + terminationGracePeriodSeconds: 10 diff --git a/charts/authorino-operator/values.yaml b/charts/authorino-operator/values.yaml new file mode 100644 index 0000000..b230d9b --- /dev/null +++ b/charts/authorino-operator/values.yaml @@ -0,0 +1 @@ +# For its first iteration, this chart won't be configurable with helm settings