Skip to content
This repository has been archived by the owner on Nov 8, 2022. It is now read-only.

Commit

Permalink
Openshift routes support (#118)
Browse files Browse the repository at this point in the history
* Add openshift route api

initial route controller impl

* openshift route controller

* openshift route controller based on sidecar

* openshift route doc fix

* remove code commented out

* remove unused code

* comment method as not thread-safe
  • Loading branch information
eguzki authored Mar 24, 2022
1 parent b8c0b2d commit e8d1bb5
Show file tree
Hide file tree
Showing 16 changed files with 1,104 additions and 202 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
* [Overview](#overview)
* [CustomResourceDefinitions](#customresourcedefinitions)
* [Getting started](#getting-started)
* [Openshift Routes](/doc/openshift-routes.md)
* [Contributing](#contributing)
* [Licensing](#licensing)

Expand Down
34 changes: 34 additions & 0 deletions config/deploy/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,40 @@ rules:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
labels:
app: kuadrant
name: kuadrant-manager-role
namespace: kuadrant-system
rules:
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- route.openshift.io
resources:
- routes/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
Expand Down
33 changes: 33 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,36 @@ rules:
- patch
- update
- watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: manager-role
namespace: placeholder
rules:
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- route.openshift.io
resources:
- routes/status
verbs:
- get
10 changes: 6 additions & 4 deletions controllers/apim/httproute_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ import (
"fmt"

"github.com/go-logr/logr"
"github.com/kuadrant/kuadrant-controller/pkg/log"
"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
securityv1beta1 "istio.io/api/security/v1beta1"
istiosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
Expand All @@ -16,6 +14,10 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
gatewayapi_v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"

"github.com/kuadrant/kuadrant-controller/pkg/log"
"github.com/kuadrant/kuadrant-controller/pkg/mappers"
"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
)

const HTTPRouteNamePrefix = "hr"
Expand Down Expand Up @@ -43,7 +45,7 @@ func (r *HTTPRouteReconciler) Reconcile(eventCtx context.Context, req ctrl.Reque

// TODO(rahulanand16nov): handle HTTPRoute deletion for AuthPolicy
// check if this httproute has to be protected or not.
_, present := httproute.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, present := httproute.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
if !present {
for _, parentRef := range httproute.Spec.ParentRefs {
gwNamespace := httproute.Namespace // consider gateway local if namespace is not given
Expand Down Expand Up @@ -88,7 +90,7 @@ func (r *HTTPRouteReconciler) reconcileAuthPolicy(ctx context.Context, logger lo
logger.Info("Reconciling AuthorizationPolicy")

// annotation presence is already checked.
providerName := hr.GetAnnotations()[KuadrantAuthProviderAnnotation]
providerName := hr.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]

// pre-convert hostnames to string slice
hosts := []string{}
Expand Down
28 changes: 15 additions & 13 deletions controllers/apim/ratelimitpolicy_mapper.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ import (
"context"

"github.com/go-logr/logr"
apimv1alpha1 "github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/predicate"

apimv1alpha1 "github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1"
"github.com/kuadrant/kuadrant-controller/pkg/mappers"
)

const (
Expand All @@ -26,7 +28,7 @@ const (
func routingPredicate(m *rateLimitPolicyMapper) predicate.Predicate {
return predicate.Funcs{
CreateFunc: func(e event.CreateEvent) bool {
if _, toRateLimit := e.Object.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]; toRateLimit {
if _, toRateLimit := e.Object.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]; toRateLimit {
if err := m.SignalCreate(e.Object); err != nil {
m.Logger.Error(err, "failed to signal create event to referenced RateLimitPolicy")
// lets still try for auth annotation
Expand All @@ -35,32 +37,32 @@ func routingPredicate(m *rateLimitPolicyMapper) predicate.Predicate {

// only create reconcile request for routing objects' controllers when auth
// annotation is present.
_, toProtect := e.Object.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, toProtect := e.Object.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
return toProtect
},
UpdateFunc: func(e event.UpdateEvent) bool {
_, toRateLimitOld := e.ObjectOld.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
_, toRateLimitNew := e.ObjectNew.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
_, toRateLimitOld := e.ObjectOld.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
_, toRateLimitNew := e.ObjectNew.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
if toRateLimitNew || toRateLimitOld {
if err := m.SignalUpdate(e.ObjectOld, e.ObjectNew); err != nil {
m.Logger.Error(err, "failed to signal update event to referenced RateLimitPolicy")
}
}

_, toProtectOld := e.ObjectOld.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, toProtectNew := e.ObjectNew.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, toProtectOld := e.ObjectOld.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
_, toProtectNew := e.ObjectNew.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
return toProtectOld || toProtectNew
},
DeleteFunc: func(e event.DeleteEvent) bool {
// If the object had the Kuadrant label, we need to handle its deletion
_, toRateLimit := e.Object.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
_, toRateLimit := e.Object.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
if toRateLimit {
if err := m.SignalDelete(e.Object); err != nil {
m.Logger.Error(err, "failed to signal delete event to referenced RateLimitPolicy")
}
}

_, toProtect := e.Object.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, toProtect := e.Object.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
return toProtect
},
}
Expand All @@ -78,7 +80,7 @@ func (m *rateLimitPolicyMapper) SignalCreate(obj client.Object) error {
if obj.GetObjectKind().GroupVersionKind().Kind == "HTTPRoute" {
addAnnotation = KuadrantAddHRAnnotation
}
rlpName := obj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
rlpName := obj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
m.Logger.Info("Signaling create event to RateLimitPolicy", "RateLimitPolicy", rlpName)
rlpKey := types.NamespacedName{
Name: rlpName,
Expand All @@ -105,7 +107,7 @@ func (m *rateLimitPolicyMapper) SignalDelete(obj client.Object) error {
if obj.GetObjectKind().GroupVersionKind().Kind == "HTTPRoute" {
deleteAnnotation = KuadrantAddHRAnnotation
}
rlpName := obj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
rlpName := obj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
m.Logger.Info("Signaling delete event to RateLimitPolicy", "RateLimitPolicy", rlpName)
rlpKey := types.NamespacedName{
Name: rlpName,
Expand All @@ -130,8 +132,8 @@ func (m *rateLimitPolicyMapper) SignalDelete(obj client.Object) error {
// SignalUpdate is used when either old or new object had/has the ratelimit annotaiton
func (m *rateLimitPolicyMapper) SignalUpdate(oldObj, newObj client.Object) error {
m.Logger.Info("Signaling update event to RateLimitPolicy")
oldRlpName, toRateLimitOld := oldObj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
newRlpName, toRateLimitNew := newObj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
oldRlpName, toRateLimitOld := oldObj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
newRlpName, toRateLimitNew := newObj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]

// case when rlp name is added (same as create event)
if !toRateLimitOld && toRateLimitNew {
Expand Down
5 changes: 0 additions & 5 deletions controllers/apim/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,6 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

const (
KuadrantAuthProviderAnnotation = "kuadrant.io/auth-provider"
KuadrantRateLimitPolicyAnnotation = "kuadrant.io/ratelimitpolicy"
)

// gatewayLabels fetches labels of an Istio gateway identified using the given ObjectKey.
func gatewayLabels(ctx context.Context, client client.Client, gwKey client.ObjectKey) map[string]string {
gateway := &istio.Gateway{}
Expand Down
5 changes: 3 additions & 2 deletions controllers/apim/virtualservice_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"github.com/go-logr/logr"
"github.com/kuadrant/kuadrant-controller/pkg/common"
"github.com/kuadrant/kuadrant-controller/pkg/log"
"github.com/kuadrant/kuadrant-controller/pkg/mappers"
"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
)

Expand Down Expand Up @@ -48,7 +49,7 @@ func (r *VirtualServiceReconciler) Reconcile(eventCtx context.Context, req ctrl.

// TODO(rahulanand16nov): handle VirtualService deletion for AuthPolicy
// check if this virtualservice is to be protected or not.
_, present := virtualService.GetAnnotations()[KuadrantAuthProviderAnnotation]
_, present := virtualService.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
if !present {
for _, gateway := range virtualService.Spec.Gateways {
gwKey := common.NamespacedNameToObjectKey(gateway, virtualService.Namespace)
Expand Down Expand Up @@ -78,7 +79,7 @@ func (r *VirtualServiceReconciler) reconcileAuthPolicy(ctx context.Context, logg
logger.Info("Reconciling AuthorizationPolicy")

// annotation presence is already checked.
providerName := vs.GetAnnotations()[KuadrantAuthProviderAnnotation]
providerName := vs.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]

// TODO(rahulanand16nov): update following to match HTTPRoute controller
// fill out the rules
Expand Down
Loading

0 comments on commit e8d1bb5

Please sign in to comment.