Support for CSM Authorization V2 support in operator (#614)

* Support OpenShifts ingress controller in Authorization (#554)

* refactor CR and add support for certs, annotations, and ocp for ingress

* update types

* update ingress and cert yamls for all versions

* update controller-gen version and crds

* fix yaml formatting errors

* create ingress dynamically

* create self signed certificates dynamically

* encode custom tls cert

* update CRs for e2e tests

* add unit tests and update versioning to v2.0.0-alpha

* update csm controller test

* fix formatting, linting, and unit tests

* fix linting

* fix wording in CR

* fix CRs

* PR edits

* fix formatting

* Support Multiple Replicas for Redis deployment in Authorization (#553)

* Changes for Auth

* add new changes as per helm

* Updating CRDs

* Resolving yaml errors

* Resolving script issues and removing hardcoded values

* Empty Config Map

* Values changes

* Resolving formatting issues

* Resolving formatting checks

* Resolving rebase issues

* Getting the sentinel values dynamically

* Addressed review comments

* Changes from v1.1.10 to v2.0.0-alpha

* Resolving Unit test errors

* Removing Hardcoded values

* Addressing review comments

* Adding Vault as separate component

* Moving the ConfigMap

* Moving ConfigMap t0 v2.0.0-alpha

* Remving extra newline

* [KRV-17784] Auth CRD support (#556)

* [KRV-17784] Add auth crds and new version

* [KRV-17784] Fix version in tests

* [KRV-17784] Unit test

* [KRV-17784] Fix comment

* [KRV-17784] Fix PR comments

* [KRV-17784] Fix PR comments

* Adding Vault Role for Authorization (#560)

* Add Vault Role

* Updating test files

* Adressing review comments

* Update the deployment with Controller for Authorization (#563)

* Adding deployment for controller

* Using Controller image dynamically

* Addressing review comments

* Addressing review comments - Making replicas configurable

* Addressing review comments & making namespace configurable

* Remove Karavi Storage Secret for v2 (#567)

* remove storage secret

* remove print

* update tls name

* add rediscommander password and username (#570)

* Add storage cluster roles (#568)

* Fix cert-manager deployment, go mod updates (#571)

* Add authorization snapshot policies (#573)

* [KRV-17785] Auth CRD e2e (#572)

* [KRV-17785] Auth CRD e2e

* [KRV-17785] Update go mod

* Added sentinel retry logic (#576)

* file changes for proxy server certificate (#577)

* Update lease permissions for authorization-controller (#580)

* Support user-provided client certs for Vault (#578)

* start vault user certs

* updates

* add cert authority

* fix deployment

* remove storage-service from all deployments

* add certs to sample

* support v1

* remove vault cert manifests

* remove todo

* fix formatting

* fix crd deploy check

* add test for v1

* add tests

* add fail test

* bad vautl ca

* add more error tests

* add test for ingress certs

* add openshift test

* add type meta to v1

* refactor storage service deployment

* refactor self-signed cert

* fix sentinel timeout (#586)

* Remove OpenShift parameter from config and discover it on runtime (#589)

* Programatically detect ocp cluster env for ingress configuration

* Add storage poll interval

* add yaml files changes from make manifests

* change error return to warning log

* PR edits

---------

Co-authored-by: Kerry_Kovacevic <[email protected]>

* [KRV-24554] Auth proxy e2e (#595)

* [KRV-17785] Auth CRD e2e

* [KRV-17785] Update go mod

* [KRV-24554] Fix proxy e2e test

* [KRV-24554] Add auth CRDs step to the scenarios

* [KRV-24554] Remove array data from test files

* Sentinel fix, remove hardcoded sentinel svc port, fix operator deploy… (#597)

* Sentinel fix, remove hardcoded sentinel svc port, fix operator deployment

* Add configurable controller reconcile interval (#598)

* Add configurable controller reconcile interval

* Update test yamls

* fix linting check

* fix linting

* [KRV-25132] Auth CR changes

* update files for new CR format for auth

* [KRV-25132] Default images

* pr review changes

* [KRV-25132] Fix e2e scenarios

---------

Co-authored-by: shaynafinocchiaro <[email protected]>
Co-authored-by: Harshita Pandey <[email protected]>
Co-authored-by: EvgenyUglov <[email protected]>
Co-authored-by: Aaron Tye <[email protected]>
Co-authored-by: Luna Xu <[email protected]>
Co-authored-by: Fernando Alfaro Campos <[email protected]>
Co-authored-by: Bharath Sreekanth <[email protected]>
Co-authored-by: Trevor Dawe <[email protected]>
Co-authored-by: Kerry_Kovacevic <[email protected]>
Co-authored-by: Evgeny Uglov <[email protected]>

Makefile

@@ -20,8 +20,6 @@ endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
 
-# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.25
 
@@ -59,10 +57,10 @@ help: ## Display this help.
 ##@ Development
 
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt"
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 #Generate semver.mk
 gen-semver: generate
@@ -127,10 +125,24 @@ deploy: static-manager ## Deploy controller to the K8s cluster specified in ~/.k
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
+##@ Build Dependencies
 
-CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
-controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,v0.6.1)
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
+
+## Tool Versions
+CONTROLLER_TOOLS_VERSION ?= v0.15.0
+
+.PHONY: controller-gen
+controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten.
+$(CONTROLLER_GEN): $(LOCALBIN)
+	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
+	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
 
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.

api/v1/types.go

@@ -1,4 +1,4 @@
-//  Copyright © 2021 - 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+//  Copyright © 2021 - 2024 Dell Inc. or its subsidiaries. All Rights Reserved.
 //
 //  Licensed under the Apache License, Version 2.0 (the "License");
 //  you may not use this file except in compliance with the License.
@@ -31,11 +31,6 @@ type DriverType string
 // ModuleType - type representing the type of the modules. e.g. - authorization, podmon
 type ModuleType string
 
-// CSMComponentType - type constraint for DriverType and ModuleType
-type CSMComponentType interface {
-	ModuleType | DriverType
-}
-
 // ObservabilityComponentType - type representing the type of components inside observability module. e.g. - topology
 type ObservabilityComponentType string
 
@@ -320,18 +315,50 @@ type ContainerTemplate struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Service Container Image"
 	ProxyService string `json:"proxyService,omitempty" yaml:"proxyService,omitempty"`
 
+	// ProxyServiceReplicas is the number of replicas for the proxy service deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Proxy Service Replicas"
+	ProxyServiceReplicas int `json:"proxyServiceReplicas,omitempty" yaml:"proxyServiceReplicas,omitempty"`
+
 	// TenantService is the image tag for the Container
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Tenant Service Container Image"
 	TenantService string `json:"tenantService,omitempty" yaml:"tenantService,omitempty"`
 
+	// TenantServiceReplicas is the number of replicas for the tenant service deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant Service Replicas"
+	TenantServiceReplicas int `json:"tenantServiceReplicas,omitempty" yaml:"tenantServiceReplicas,omitempty"`
+
 	// RoleService is the image tag for the Container
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Role Service Container Image"
 	RoleService string `json:"roleService,omitempty" yaml:"roleService,omitempty"`
 
+	// RoleServiceReplicas is the number of replicas for the role service deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Role Service Replicas"
+	RoleServiceReplicas int `json:"roleServiceReplicas,omitempty" yaml:"roleServiceReplicas,omitempty"`
+
 	// StorageService is the image tag for the Container
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Storage Service Container Image"
 	StorageService string `json:"storageService,omitempty" yaml:"storageService,omitempty"`
 
+	// StorageServiceReplicas is the number of replicas for storage service deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Storage Service Replicas"
+	StorageServiceReplicas int `json:"storageServiceReplicas,omitempty" yaml:"storageServiceReplicas,omitempty"`
+
+	// AuthorizationController is the image tag for the container
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Controller Container Image"
+	AuthorizationController string `json:"authorizationController,omitempty" yaml:"authorizationController,omitempty"`
+
+	// AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Controller Replicas"
+	AuthorizationControllerReplicas int `json:"authorizationControllerReplicas,omitempty" yaml:"authorizationControllerReplicas,omitempty"`
+
+	// LeaderElection is boolean flag to enable leader election
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Leader Election"
+	LeaderElection bool `json:"leaderElection,omitempty" yaml:"leaderElection,omitempty"`
+
+	// The interval which the reconcile of each controller is run
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Controller Reconcile Interval"
+	ControllerReconcileInterval string `json:"controllerReconcileInterval,omitempty" yaml:"controllerReconcileInterval,omitempty"`
+
 	// Redis is the image tag for the Container
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Redis Container Image"
 	Redis string `json:"redis,omitempty" yaml:"redis,omitempty"`
@@ -348,6 +375,50 @@ type ContainerTemplate struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Opa Kube Management Container Image"
 	OpaKubeMgmt string `json:"opaKubeMgmt,omitempty" yaml:"opaKubeMgmt,omitempty"`
 
+	// Hostname is the authorization proxy server hostname
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Hostname"
+	Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty"`
+
+	// ProxyServerIngress is the authorization proxy server ingress configuration
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server ingress configuration"
+	ProxyServerIngress []ProxyServerIngress `json:"proxyServerIngress,omitempty" yaml:"proxyServerIngress,omitempty"`
+
+	// RedisStorageClass is the authorization proxy server redis storage class for persistence
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Redis storage class"
+	RedisStorageClass string `json:"storageclass,omitempty" yaml:"storageclass,omitempty"`
+
+	// VaultAddress is the address of the vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Address"
+	VaultAddress string `json:"vaultAddress,omitempty" yaml:"vaultAddress,omitempty"`
+
+	// VaultRole is the role for the vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Role"
+	VaultRole string `json:"vaultRole,omitempty" yaml:"vaultRole,omitempty"`
+
+	// skipCertificateValidation is the flag to skip certificate validation
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Skip Certificate Validation"
+	SkipCertificateValidation bool `json:"skipCertificateValidation,omitempty" yaml:"skipCertificateValidation,omitempty"`
+
+	// kvEnginePath is the Authorization vault secret path
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization KV Engine Path"
+	KvEnginePath string `json:"kvEnginePath,omitempty" yaml:"kvEnginePath,omitempty"`
+
+	// RedisName is the name of the redis statefulset
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis StatefulSet Name"
+	RedisName string `json:"redisName,omitempty" yaml:"redisName,omitempty"`
+
+	// RedisCommander is the name of the redis deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Name"
+	RedisCommander string `json:"redisCommander,omitempty" yaml:"redisCommander,omitempty"`
+
+	// RedisReplicas is the number of replicas for the redis deployment
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Replicas"
+	RedisReplicas int `json:"redisReplicas,omitempty" yaml:"redisReplicas,omitempty"`
+
+	// Sentinel is the name of the sentinel statefulSet
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Sentinel StatefulSet Name"
+	Sentinel string `json:"sentinel,omitempty" yaml:"sentinel,omitempty"`
+
 	// ReplicaCount is the replica count for app mobility
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Application Mobility Replica Count"
 	ReplicaCount string `json:"replicaCount,omitempty" yaml:"replicaCount,omitempty"`
@@ -383,6 +454,10 @@ type ContainerTemplate struct {
 	// PrivateKey is a private key used for a certificate/private-key pair
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Private key for certificate/private-key pair"
 	PrivateKey string `json:"privateKey,omitempty" yaml:"privateKey,omitempty"`
+
+	// CertificateAuthority is a certificate authority used to validate a certificate
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Certificate authority for validating a certificate"
+	CertificateAuthority string `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"`
 }
 
 // SnapshotClass struct
@@ -396,6 +471,21 @@ type SnapshotClass struct {
 	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters"`
 }
 
+// ProxyServerIngress is the authorization ingress configuration struct
+type ProxyServerIngress struct {
+	// IngressClassName is the ingressClassName
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Ingress Class Name"
+	IngressClassName string `json:"ingressClassName,omitempty" yaml:"ingressClassName,omitempty"`
+
+	// Hosts is the hosts rules for the ingress
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Hosts"
+	Hosts []string `json:"hosts,omitempty" yaml:"hosts,omitempty"`
+
+	// Annotations is an unstructured key value map that stores additional annotations for the ingress
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Annotations"
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
 // CSIDriverSpec struct
 type CSIDriverSpec struct {
 	FSGroupPolicy   string `json:"fSGroupPolicy,omitempty" yaml:"fSGroupPolicy,omitempty"`