From 1c23688f80b66def8ad0f3bc61a10c42f5bf0dd7 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:43:52 -0400 Subject: [PATCH] Tentative at dealing with no opa.External provided Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 36 ++++--- install/manifests.yaml | 146 ++++++++++++++++++++++++++ install/rbac/role.yaml | 146 ++++++++++++++++++++++++++ 3 files changed, 313 insertions(+), 15 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index a4bde94b..78a97be6 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -377,25 +377,31 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf case api.OpaAuthorization: policyName := authConfig.GetNamespace() + "/" + authConfig.GetName() + "/" + authzName opa := authorization.Opa - externalRegistry := opa.External secret := &v1.Secret{} - var sharedSecret string - if externalRegistry.SharedSecret != nil { - if err := r.Client.Get(ctx, types.NamespacedName{ - Namespace: authConfig.Namespace, - Name: externalRegistry.SharedSecret.Name}, - secret); err != nil { - return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. + var ( + sharedSecret string + externalSource *authorization_evaluators.OPAExternalSource + ) + + if opa.External != nil { + externalRegistry := opa.External + if externalRegistry.SharedSecret != nil { + if err := r.Client.Get(ctx, types.NamespacedName{ + Namespace: authConfig.Namespace, + Name: externalRegistry.SharedSecret.Name}, + secret); err != nil { + return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. + } + sharedSecret = string(secret.Data[externalRegistry.SharedSecret.Key]) } - sharedSecret = string(secret.Data[externalRegistry.SharedSecret.Key]) - } - externalSource := &authorization_evaluators.OPAExternalSource{ - Endpoint: externalRegistry.Url, - SharedSecret: sharedSecret, - AuthCredentials: newAuthCredential(externalRegistry.Credentials), - TTL: externalRegistry.TTL, + externalSource = &authorization_evaluators.OPAExternalSource{ + Endpoint: externalRegistry.Url, + SharedSecret: sharedSecret, + AuthCredentials: newAuthCredential(externalRegistry.Credentials), + TTL: externalRegistry.TTL, + } } var err error diff --git a/install/manifests.yaml b/install/manifests.yaml index 6c13cf5e..133b243d 100644 --- a/install/manifests.yaml +++ b/install/manifests.yaml @@ -5029,6 +5029,80 @@ kind: ClusterRole metadata: name: authorino-manager-role rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - delete + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create - apiGroups: - authorino.kuadrant.io resources: @@ -5049,6 +5123,12 @@ rules: - get - patch - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - coordination.k8s.io resources: @@ -5066,3 +5146,69 @@ rules: - get - list - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/finalizers + verbs: + - update +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - update + - watch diff --git a/install/rbac/role.yaml b/install/rbac/role.yaml index 69520e9e..2328df39 100644 --- a/install/rbac/role.yaml +++ b/install/rbac/role.yaml @@ -4,6 +4,80 @@ kind: ClusterRole metadata: name: manager-role rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - delete + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create - apiGroups: - authorino.kuadrant.io resources: @@ -24,6 +98,12 @@ rules: - get - patch - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - coordination.k8s.io resources: @@ -41,3 +121,69 @@ rules: - get - list - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/finalizers + verbs: + - update +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - update + - watch