From a2f1c88ea68615fc4e189496e071d1064405e622 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Wed, 8 Nov 2023 18:27:30 +0100 Subject: [PATCH] install command --- .github/workflows/commands.yaml | 26 +- .github/workflows/testing.yaml | 87 +- Makefile | 131 +- authorinomanifests/assets.go | 32 - .../autogenerated/authorino-operator.yaml | 1717 ---- cmd/cmd_suite_test.go | 34 - cmd/generate.go | 1 - cmd/generate_gatewayapi_httproute.go | 7 +- cmd/generate_istio.go | 18 - cmd/generate_istio_authpolicy.go | 134 - cmd/generate_istio_virtualservice.go | 145 - cmd/generate_kuadrant.go | 2 - cmd/generate_kuadrant_authconfig.go | 136 - cmd/install.go | 142 +- cmd/install_test.go | 60 - cmd/uninstall.go | 107 +- cmd/version.go | 33 - config/gateway-api/kustomization.yaml | 3 + go.mod | 100 +- go.sum | 1292 +-- istiomanifests/assets.go | 48 - istiomanifests/autogenerated/Base/Base.yaml | 7534 ----------------- .../Base/IstiodRemote/IstiodRemote.yaml | 1 - .../autogenerated/Base/Pilot/Cni/Cni.yaml | 1 - .../Pilot/EgressGateways/EgressGateways.yaml | 1 - .../IngressGateways/IngressGateways.yaml | 333 - .../autogenerated/Base/Pilot/Pilot.yaml | 3057 ------- istiomanifests/default-gateway.yaml | 15 - .../patches/istio-externalProvider.yaml | 16 - kuadrantmanifests/assets.go | 32 - kuadrantmanifests/autogenerated/kuadrant.yaml | 451 - limitadormanifests/assets.go | 32 - .../autogenerated/limitador-operator.yaml | 405 - make/gateway-api.mk | 5 + make/istio.mk | 25 + make/kind.mk | 14 + make/lint.mk | 11 + make/olm.mk | 5 + utils.mk => make/utils.mk | 2 +- pkg/authorino/auth_config.go | 134 - pkg/authorino/authorino.go | 35 - pkg/gatewayapi/http_route.go | 7 +- pkg/istio/authorizationpolicy.go | 39 - pkg/istio/http_route.go | 44 - pkg/limitador/limitador.go | 23 - pkg/utils/scheme.go | 20 +- pkg/utils/utils.coverprofile | 68 + pkg/utils/version_parser.go | 124 - pkg/utils/yaml_decoder.go | 66 - .../{kind/cluster.yaml => kind-cluster.yaml} | 0 50 files changed, 461 insertions(+), 16294 deletions(-) delete mode 100644 authorinomanifests/assets.go delete mode 100644 authorinomanifests/autogenerated/authorino-operator.yaml delete mode 100644 cmd/generate_istio.go delete mode 100644 cmd/generate_istio_authpolicy.go delete mode 100644 cmd/generate_istio_virtualservice.go delete mode 100644 cmd/generate_kuadrant_authconfig.go delete mode 100644 cmd/install_test.go create mode 100644 config/gateway-api/kustomization.yaml delete mode 100644 istiomanifests/assets.go delete mode 100644 istiomanifests/autogenerated/Base/Base.yaml delete mode 100644 istiomanifests/autogenerated/Base/IstiodRemote/IstiodRemote.yaml delete mode 100644 istiomanifests/autogenerated/Base/Pilot/Cni/Cni.yaml delete mode 100644 istiomanifests/autogenerated/Base/Pilot/EgressGateways/EgressGateways.yaml delete mode 100644 istiomanifests/autogenerated/Base/Pilot/IngressGateways/IngressGateways.yaml delete mode 100644 istiomanifests/autogenerated/Base/Pilot/Pilot.yaml delete mode 100644 istiomanifests/default-gateway.yaml delete mode 100644 istiomanifests/patches/istio-externalProvider.yaml delete mode 100644 kuadrantmanifests/assets.go delete mode 100644 kuadrantmanifests/autogenerated/kuadrant.yaml delete mode 100644 limitadormanifests/assets.go delete mode 100644 limitadormanifests/autogenerated/limitador-operator.yaml create mode 100644 make/gateway-api.mk create mode 100644 make/istio.mk create mode 100644 make/kind.mk create mode 100644 make/lint.mk create mode 100644 make/olm.mk rename utils.mk => make/utils.mk (84%) delete mode 100644 pkg/authorino/auth_config.go delete mode 100644 pkg/authorino/authorino.go delete mode 100644 pkg/istio/authorizationpolicy.go delete mode 100644 pkg/istio/http_route.go delete mode 100644 pkg/limitador/limitador.go create mode 100644 pkg/utils/utils.coverprofile delete mode 100644 pkg/utils/version_parser.go delete mode 100644 pkg/utils/yaml_decoder.go rename utils/{kind/cluster.yaml => kind-cluster.yaml} (100%) diff --git a/.github/workflows/commands.yaml b/.github/workflows/commands.yaml index b32991d..4d7b1c1 100644 --- a/.github/workflows/commands.yaml +++ b/.github/workflows/commands.yaml @@ -1,30 +1,38 @@ --- name: Command Testing -on: pull_request +on: + push: + branches: [ 'main' ] + + pull_request: + branches: [ '*' ] jobs: install: name: Run kuadrantctl install runs-on: ubuntu-latest steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 + - name: Set up Go 1.20.x + uses: actions/setup-go@v4 with: - go-version: 1.16.x + go-version: 1.20.x id: go - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 with: - version: v0.11.1 - config: utils/kind/cluster.yaml - cluster_name: kuadrant-local + version: v0.20.0 + config: utils/kind-cluster.yaml + cluster_name: ${{ env.KIND_CLUSTER_NAME }} wait: 120s - name: Check cluster info run: | kubectl cluster-info dump + - name: Run make env-setup + run: | + make env-setup - name: build run: | make install diff --git a/.github/workflows/testing.yaml b/.github/workflows/testing.yaml index 1ebb800..1ea487c 100644 --- a/.github/workflows/testing.yaml +++ b/.github/workflows/testing.yaml @@ -6,7 +6,7 @@ on: branches: [ 'main' ] pull_request: - branches: [ 'main' ] + branches: [ '*' ] jobs: build: @@ -27,24 +27,29 @@ jobs: tests: name: Run tests runs-on: ubuntu-latest + env: + KIND_CLUSTER_NAME: kuadrant-local steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 + - name: Set up Go 1.20.x + uses: actions/setup-go@v4 with: - go-version: 1.16.x + go-version: 1.20.x id: go - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 with: - version: v0.11.1 - config: utils/kind/cluster.yaml - cluster_name: kuadrant-local + version: v0.20.0 + config: utils/kind-cluster.yaml + cluster_name: ${{ env.KIND_CLUSTER_NAME }} wait: 120s - name: Check cluster info run: | kubectl cluster-info dump + - name: Run make env-setup + run: | + make env-setup - name: Run tests run: | make test @@ -52,67 +57,3 @@ jobs: uses: codecov/codecov-action@v2 with: files: "*.coverprofile" - - verify-istio-manifest: - name: Verify istio manifests - runs-on: ubuntu-latest - steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 - with: - go-version: 1.16.x - id: go - - name: Check out code - uses: actions/checkout@v2 - - name: run test - run: | - make istio-manifest-update-test - - verify-kuadrant-manifest: - name: Verify kuadrant manifests - runs-on: ubuntu-latest - steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 - with: - go-version: 1.16.x - id: go - - name: Check out code - uses: actions/checkout@v2 - - name: run test - run: | - make kuadrant-manifest-update-test - - verify-limitador-manifest: - name: Verify limitador manifests - runs-on: ubuntu-latest - steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 - with: - go-version: 1.16.x - id: go - - name: Check out code - uses: actions/checkout@v2 - - name: run test - run: | - make limitador-operator-manifest-update-test - - verify-authorino-manifest: - name: Verify authorino manifests - runs-on: ubuntu-latest - steps: - - name: Set up Go 1.16.x - uses: actions/setup-go@v2 - with: - go-version: 1.16.x - id: go - - name: Check out code - uses: actions/checkout@v2 - - name: remove existing kustomize - run: | - # not necessary when https://github.com/Kuadrant/authorino/pull/150 is removed - rm -rf /usr/local/bin/kustomize /home/runner/go/bin/controller-gen - - name: run test - run: | - make authorino-operator-manifest-update-test diff --git a/Makefile b/Makefile index 86e87e1..0f84025 100644 --- a/Makefile +++ b/Makefile @@ -5,17 +5,18 @@ PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH))) GO ?= go KUADRANT_NAMESPACE=kuadrant-system -include utils.mk - all: help .PHONY : help help: Makefile @sed -n 's/^##//p' $< -# Kind tool +# Ginkgo tool +GINKGO = $(PROJECT_PATH)/bin/ginkgo +$(GINKGO): + $(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/ginkgo@v1.16.4) + KIND = $(PROJECT_PATH)/bin/kind -KIND_CLUSTER_NAME = kuadrant-local KIND_VERSION = v0.20.0 $(KIND): $(call go-install-tool,$(KIND),sigs.k8s.io/kind@$(KIND_VERSION)) @@ -23,23 +24,12 @@ $(KIND): .PHONY: kind kind: $(KIND) ## Download kind locally if necessary. -# istioctl tool -ISTIOCTL=$(PROJECT_PATH)/bin/istioctl -ISTIOVERSION = 1.17.2 -$(ISTIOCTL): - mkdir -p $(PROJECT_PATH)/bin - $(eval TMP := $(shell mktemp -d)) - cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh - - cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL} - -rm -rf $(TMP) +KUSTOMIZE = $(PROJECT_PATH)/bin/kustomize +$(KUSTOMIZE): + $(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v4@v4.5.5) -.PHONY: istioctl -istioctl: $(ISTIOCTL) - -# Ginkgo tool -GINKGO = $(PROJECT_PATH)/bin/ginkgo -$(GINKGO): - $(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/ginkgo@v1.16.4) +.PHONY: kustomize +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. ## test: Run unit tests .PHONY : test @@ -53,6 +43,28 @@ test: fmt vet $(GINKGO) install: fmt vet GOBIN=$(PROJECT_PATH)/bin $(GO) install +.PHONY: prepare-local-cluster +prepare-local-cluster: $(KIND) ## Deploy locally kuadrant operator from the current code + $(MAKE) kind-delete-cluster + $(MAKE) kind-create-cluster + +.PHONY: env-setup +env-setup: + $(MAKE) olm-install + $(MAKE) gateway-api-install + $(MAKE) istio-install + +## local-setup: Sets up Kind cluster with GatewayAPI manifests and istio GW, nothing Kuadrant. Build and install kuadrantctl binary +.PHONY: local-setup +local-setup: + $(MAKE) prepare-local-cluster + $(MAKE) env-setup + +## local-cleanup: Delete local cluster +.PHONY: local-cleanup +local-cleanup: ## Delete local cluster + $(MAKE) kind-delete-cluster + .PHONY : fmt fmt: $(GO) fmt ./... @@ -61,80 +73,5 @@ fmt: vet: $(GO) vet ./... -# Generates istio manifests with patches. -.PHONY: generate-istio-manifests -generate-istio-manifests: istioctl - $(ISTIOCTL) manifest generate --set profile=minimal --set values.gateways.istio-ingressgateway.autoscaleEnabled=false --set values.pilot.autoscaleEnabled=false --set values.global.istioNamespace=kuadrant-system -f istiomanifests/patches/istio-externalProvider.yaml -o istiomanifests/autogenerated - -.PHONY: istio-manifest-update-test -istio-manifest-update-test: generate-istio-manifests - git diff --exit-code ./istiomanifests/autogenerated - [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./istiomanifests/autogenerated)" ] - -# Generates kuadrant manifests. -KUADRANTVERSION=main -KUADRANT_CONTROLLER_IMAGE=quay.io/kuadrant/kuadrant-controller:$(KUADRANTVERSION) -.PHONY: generate-kuadrant-manifests -generate-kuadrant-manifests: - $(eval TMP := $(shell mktemp -d)) - cd $(TMP); git clone --depth 1 --branch $(KUADRANTVERSION) https://github.com/kuadrant/kuadrant-controller.git - cd $(TMP)/kuadrant-controller; make kustomize - cd $(TMP)/kuadrant-controller/config/manager; $(TMP)/kuadrant-controller/bin/kustomize edit set image controller=${KUADRANT_CONTROLLER_IMAGE} - cd $(TMP)/kuadrant-controller/config/default; $(TMP)/kuadrant-controller/bin/kustomize edit set namespace $(KUADRANT_NAMESPACE) - cd $(TMP)/kuadrant-controller; bin/kustomize build config/default -o $(PROJECT_PATH)/kuadrantmanifests/autogenerated/kuadrant.yaml - -rm -rf $(TMP) - -.PHONY: kuadrant-manifest-update-test -kuadrant-manifest-update-test: generate-kuadrant-manifests - git diff --exit-code ./kuadrantmanifests/autogenerated - [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./kuadrantmanifests/autogenerated)" ] - -# Generates limitador manifests. -LIMITADOR_OPERATOR_VERSION=main -LIMITADOR_OPERATOR_IMAGE=quay.io/kuadrant/limitador-operator:$(LIMITADOR_OPERATOR_VERSION) -.PHONY: generate-limitador-operator-manifests -generate-limitador-operator-manifests: - $(eval TMP := $(shell mktemp -d)) - cd $(TMP); git clone --depth 1 --branch $(LIMITADOR_OPERATOR_VERSION) https://github.com/kuadrant/limitador-operator.git - cd $(TMP)/limitador-operator; make kustomize - cd $(TMP)/limitador-operator/config/manager; $(TMP)/limitador-operator/bin/kustomize edit set image controller=$(LIMITADOR_OPERATOR_IMAGE) - cd $(TMP)/limitador-operator/config/default; $(TMP)/limitador-operator/bin/kustomize edit set namespace $(KUADRANT_NAMESPACE) - cd $(TMP)/limitador-operator; bin/kustomize build config/default -o $(PROJECT_PATH)/limitadormanifests/autogenerated/limitador-operator.yaml - -rm -rf $(TMP) - -.PHONY: limitador-operator-manifest-update-test -limitador-operator-manifest-update-test: generate-limitador-operator-manifests - git diff --exit-code ./limitadormanifests/autogenerated - [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./limitadormanifests/autogenerated)" ] - -# Generates authorino operator manifests. -AUTHORINO_OPERATOR_VERSION=main -.PHONY: generate-authorino-operator-manifests -generate-authorino-operator-manifests: - curl -sSf https://raw.githubusercontent.com/Kuadrant/authorino-operator/$(AUTHORINO_OPERATOR_VERSION)/config/deploy/manifests.yaml > $(PROJECT_PATH)/authorinomanifests/autogenerated/authorino-operator.yaml - -.PHONY: authorino-manifest-update-test -authorino-operator-manifest-update-test: generate-authorino-operator-manifests - git diff --exit-code ./authorinomanifests/autogenerated - [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./authorinomanifests/autogenerated)" ] - -.PHONY : cluster-cleanup -cluster-cleanup: $(KIND) - $(KIND) delete cluster --name $(KIND_CLUSTER_NAME) - -.PHONY : cluster-setup -cluster-setup: $(KIND) cluster-cleanup - $(KIND) create cluster --name $(KIND_CLUSTER_NAME) --config utils/kind/cluster.yaml - -GOLANGCI-LINT=$(PROJECT_PATH)/bin/golangci-lint -$(GOLANGCI-LINT): - mkdir -p $(PROJECT_PATH)/bin - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(PROJECT_PATH)/bin v1.41.1 - -.PHONY: golangci-lint -golangci-lint: $(GOLANGCI-LINT) - -.PHONY: run-lint -run-lint: $(GOLANGCI-LINT) - $(GOLANGCI-LINT) run --timeout 2m - +# Include last to avoid changing MAKEFILE_LIST used above +include ./make/*.mk diff --git a/authorinomanifests/assets.go b/authorinomanifests/assets.go deleted file mode 100644 index 16cd091..0000000 --- a/authorinomanifests/assets.go +++ /dev/null @@ -1,32 +0,0 @@ -/* -Copyright 2021 Red Hat, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package authorinomanifests - -import ( - "embed" - - logf "sigs.k8s.io/controller-runtime/pkg/log" -) - -// Content holds authorino operator manifests -// -//go:embed autogenerated -var content embed.FS - -func OperatorContent() ([]byte, error) { - logf.Log.V(1).Info("Resource file", "name", "autogenerated/authorino-operator.yaml") - return content.ReadFile("autogenerated/authorino-operator.yaml") -} diff --git a/authorinomanifests/autogenerated/authorino-operator.yaml b/authorinomanifests/autogenerated/authorino-operator.yaml deleted file mode 100644 index 328e6ff..0000000 --- a/authorinomanifests/autogenerated/authorino-operator.yaml +++ /dev/null @@ -1,1717 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: authorino-operator ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null - name: authconfigs.authorino.kuadrant.io -spec: - group: authorino.kuadrant.io - names: - kind: AuthConfig - listKind: AuthConfigList - plural: authconfigs - singular: authconfig - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Ready? - jsonPath: .status.ready - name: Ready - type: boolean - - description: Number of trusted identity sources - jsonPath: .status.numIdentitySources - name: Id sources - priority: 2 - type: integer - - description: Number of external metadata sources - jsonPath: .status.numMetadataSources - name: Metadata sources - priority: 2 - type: integer - - description: Number of authorization policies - jsonPath: .status.numAuthorizationPolicies - name: Authz policies - priority: 2 - type: integer - - description: Number of items added to the client response - jsonPath: .status.numResponseItems - name: Response items - priority: 2 - type: integer - - description: Whether issuing Festival Wristbands - jsonPath: .status.festivalWristbandEnabled - name: Wristband - priority: 2 - type: boolean - name: v1beta1 - schema: - openAPIV3Schema: - description: AuthConfig is the schema for Authorino's AuthConfig API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specifies the desired state of the AuthConfig resource, i.e. the authencation/authorization scheme to be applied to protect the matching service hosts. - properties: - authorization: - description: Authorization is the list of authorization policies. All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. - items: - description: 'Authorization policy to be enforced. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".' - oneOf: - - properties: - name: {} - opa: {} - required: - - name - - opa - - properties: - json: {} - name: {} - required: - - name - - json - - properties: - kubernetes: {} - name: {} - required: - - name - - kubernetes - properties: - json: - description: JSON pattern matching authorization policy. - properties: - rules: - description: The rules that must all evaluate to "true" for the request to be authorized. - items: - oneOf: - - properties: - patternRef: {} - required: - - patternRef - - properties: - operator: {} - selector: {} - value: {} - required: - - operator - - selector - - value - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - rules - type: object - kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. - properties: - groups: - description: Groups to test for. - items: - type: string - type: array - resourceAttributes: - description: Use ResourceAttributes for checking permissions on Kubernetes resources If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. - properties: - group: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - name: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - namespace: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - resource: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - subresource: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - verb: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - type: object - user: - description: User to test for. If without "Groups", then is it interpreted as "What if User were not a member of any groups" - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - required: - - user - type: object - name: - description: Name of the authorization policy. It can be used to refer to the resolved authorization object in other configs. - type: string - opa: - description: Open Policy Agent (OPA) authorization policy. - properties: - externalRegistry: - description: External registry of OPA policies. - properties: - credentials: - description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP external registry. The endpoint must respond with either plain/text or application/json content-type. In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). - type: string - sharedSecretRef: - description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's namespace to select from. - type: string - required: - - key - - name - type: object - type: object - inlineRego: - description: Authorization policy as a Rego language document. The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). The Rego document must NOT include the "package" declaration in line 1. - type: string - type: object - priority: - default: 0 - description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this authorization policy. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - oneOf: - - properties: - patternRef: {} - required: - - patternRef - - properties: - operator: {} - selector: {} - value: {} - required: - - operator - - selector - - value - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - denyWith: - description: Custom denial response codes, statuses and headers to override default 40x's. - properties: - unauthenticated: - description: Denial status customization when the request is unauthenticated. - properties: - code: - description: HTTP status code to override the default denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default denial headers. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - type: string - type: object - unauthorized: - description: Denial status customization when the request is unauthorized. - properties: - code: - description: HTTP status code to override the default denial status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default denial headers. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - type: string - type: object - type: object - hosts: - description: The list of public host names of the services protected by this authentication/authorization scheme. Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. - items: - type: string - type: array - identity: - description: List of identity sources/authentication modes. At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. - items: - description: 'The identity source/authentication mode config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes".' - oneOf: - - properties: - credentials: {} - name: {} - oauth2: {} - required: - - name - - oauth2 - - properties: - credentials: {} - name: {} - oidc: {} - required: - - name - - oidc - - properties: - apiKey: {} - credentials: {} - name: {} - required: - - name - - apiKey - - properties: - credentials: {} - kubernetes: {} - name: {} - required: - - name - - kubernetes - - properties: - anonymous: {} - credentials: {} - name: {} - required: - - name - - anonymous - properties: - anonymous: - type: object - apiKey: - properties: - allNamespaces: - default: false - description: Whether Authorino should look for API key secrets in all namespaces or only in the same namespace of the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. - type: boolean - labelSelectors: - additionalProperties: - type: string - description: The map of label selectors used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service - type: object - required: - - labelSelectors - type: object - credentials: - description: Defines where client credentials are required to be passed in the request for this identity source/authentication mode. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). - properties: - in: - default: authorization_header - description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. - type: string - required: - - keySelector - type: object - extendedProperties: - description: Extends the resolved identity object with additional custom properties before appending to the authorization JSON. It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - kubernetes: - properties: - audiences: - description: The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. - items: - type: string - type: array - type: object - name: - description: The name of this identity source/authentication mode. It usually identifies a source of identities or group of users/clients of the protected service. It can be used to refer to the resolved identity object in other configs. - type: string - oauth2: - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - tokenIntrospectionUrl: - description: The full URL of the token introspection endpoint. - type: string - tokenTypeHint: - description: The token type hint for the token introspection. If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - tokenIntrospectionUrl - type: object - oidc: - properties: - endpoint: - description: Endpoint of the OIDC issuer. Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. - type: string - ttl: - description: Decides how long to wait before refreshing the OIDC configuration (in seconds). - type: integer - required: - - endpoint - type: object - priority: - default: 0 - description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this identity config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - oneOf: - - properties: - patternRef: {} - required: - - patternRef - - properties: - operator: {} - selector: {} - value: {} - required: - - operator - - selector - - value - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - metadata: - description: List of metadata source configs. Authorino fetches JSON content from sources on this list on every request. - items: - description: 'The metadata config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "userInfo" or "uma".' - oneOf: - - properties: - name: {} - userInfo: {} - required: - - name - - userInfo - - properties: - name: {} - uma: {} - required: - - name - - uma - - properties: - name: {} - uma: {} - required: - - name - - http - properties: - http: - description: Generic HTTP interface to obtain authorization metadata from a HTTP service. - properties: - bodyParameters: - description: Custom parameters to encode in the body of the HTTP request. Use it with method=POST; for GET requests, specify parameters using placeholders in the endpoint. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - contentType: - default: application/x-www-form-urlencoded - description: Content-Type of the request body. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string - headers: - description: Custom headers in the HTTP request. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - method: - description: 'HTTP verb used in the request to the service. Accepted values: GET (default), POST. When the request method is POST, the authorization JSON is passed in the body of the request.' - enum: - - GET - - POST - type: string - sharedSecretRef: - description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's namespace to select from. - type: string - required: - - key - - name - type: object - required: - - endpoint - type: object - name: - description: The name of the metadata source. It can be used to refer to the resolved metadata object in other configs. - type: string - priority: - default: 0 - description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - uma: - description: User-Managed Access (UMA) source of resource data. - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - endpoint: - description: The endpoint of the UMA server. The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. - type: string - required: - - credentialsRef - - endpoint - type: object - userInfo: - description: OpendID Connect UserInfo linked to an OIDC identity config of this same spec. - properties: - identitySource: - description: The name of an OIDC identity source included in the "identity" section and whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. - type: string - required: - - identitySource - type: object - when: - description: Conditions for Authorino to enforce this metadata config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - oneOf: - - properties: - patternRef: {} - required: - - patternRef - - properties: - operator: {} - selector: {} - value: {} - required: - - operator - - selector - - value - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - patterns: - additionalProperties: - items: - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - description: Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules. - type: object - response: - description: List of response configs. Authorino gathers data from the auth pipeline to build custom responses for the client. - items: - description: 'Dynamic response to return to the client. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json".' - properties: - json: - properties: - properties: - description: List of JSON property-value pairs to be added to the dynamic response. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - required: - - properties - type: object - name: - description: Name of the custom response. It can be used to refer to the resolved response object in other configs. - type: string - priority: - default: 0 - description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this custom response config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. - items: - oneOf: - - properties: - patternRef: {} - required: - - patternRef - - properties: - operator: {} - selector: {} - value: {} - required: - - operator - - selector - - value - properties: - operator: - description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. - type: string - value: - description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. - type: string - type: object - type: array - wrapper: - default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata - enum: - - httpHeader - - envoyDynamicMetadata - type: string - wrapperKey: - description: The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). If omitted, it will be set to the name of the configuration. - type: string - wristband: - properties: - customClaims: - description: Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - issuer: - description: 'The endpoint to the Authorino service that issues the wristband (format: ://:/, where = / /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} - grpc-agent: | - {{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - {{- end }} - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } - spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector-kuadrant-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: istio -webhooks: -- name: rev.namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: kuadrant-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: rev.object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: kuadrant-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "default" -- name: namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: kuadrant-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: kuadrant-system - path: "/inject" - port: 443 - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: kuadrant-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole-kuadrant-system - labels: - app: istio-reader - release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole-kuadrant-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole-kuadrant-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: kuadrant-system - ---- -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod - namespace: kuadrant-system - labels: - app: istiod - release: istio -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod - namespace: kuadrant-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: - - kind: ServiceAccount - name: istiod - namespace: kuadrant-system - ---- -apiVersion: v1 -kind: Service -metadata: - name: istiod - namespace: kuadrant-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: istio -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod - namespace: kuadrant-system - labels: - app: istiod - release: istio ---- ---- -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.13 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.13 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.13.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- ---- -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.14 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.14 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.14.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- ---- -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.15 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.15 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.15.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- ---- -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- ---- -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - { - "disable_host_header_fallback": true - } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - { - "disable_host_header_fallback": true - } ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17 - namespace: kuadrant-system - labels: - istio.io/rev: default -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator-kuadrant-system - labels: - app: istiod - release: istio - istio: istiod - istio.io/rev: default -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - service: - name: istiod - namespace: kuadrant-system - path: "/validate" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" ---- - ---- - diff --git a/istiomanifests/default-gateway.yaml b/istiomanifests/default-gateway.yaml deleted file mode 100644 index 45ab321..0000000 --- a/istiomanifests/default-gateway.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: kuadrant-gateway - namespace: kuadrant-system -spec: - selector: - istio: kuadrant-system - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" diff --git a/istiomanifests/patches/istio-externalProvider.yaml b/istiomanifests/patches/istio-externalProvider.yaml deleted file mode 100644 index 8c537b8..0000000 --- a/istiomanifests/patches/istio-externalProvider.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - extensionProviders: - - name: "kuadrant-authorization" - envoyExtAuthzGrpc: - service: "authorino-authorino-authorization.kuadrant-system.svc.cluster.local" - port: 50051 - components: - ingressGateways: - - name: kuadrant-gateway - enabled: true - namespace: kuadrant-system - label: - istio: kuadrant-system diff --git a/kuadrantmanifests/assets.go b/kuadrantmanifests/assets.go deleted file mode 100644 index 2607675..0000000 --- a/kuadrantmanifests/assets.go +++ /dev/null @@ -1,32 +0,0 @@ -/* -Copyright 2021 Red Hat, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package kuadrantmanifests - -import ( - "embed" - - logf "sigs.k8s.io/controller-runtime/pkg/log" -) - -// Content holds kuadrant manifests -// -//go:embed autogenerated -var content embed.FS - -func Content() ([]byte, error) { - logf.Log.V(1).Info("Resource file", "name", "autogenerated/kuadrant.yaml") - return content.ReadFile("autogenerated/kuadrant.yaml") -} diff --git a/kuadrantmanifests/autogenerated/kuadrant.yaml b/kuadrantmanifests/autogenerated/kuadrant.yaml deleted file mode 100644 index 1cd7dc2..0000000 --- a/kuadrantmanifests/autogenerated/kuadrant.yaml +++ /dev/null @@ -1,451 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app: kuadrant - control-plane: controller-manager - name: kuadrant-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - labels: - app: kuadrant - name: ratelimitpolicies.apim.kuadrant.io -spec: - group: apim.kuadrant.io - names: - kind: RateLimitPolicy - listKind: RateLimitPolicyList - plural: ratelimitpolicies - singular: ratelimitpolicy - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RateLimitPolicy is the Schema for the ratelimitpolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RateLimitPolicySpec defines the desired state of RateLimitPolicy - properties: - limits: - items: - description: RateLimitSpec defines the desired state of RateLimit - properties: - conditions: - items: - type: string - type: array - max_value: - type: integer - namespace: - type: string - seconds: - type: integer - variables: - items: - type: string - type: array - required: - - conditions - - max_value - - namespace - - seconds - - variables - type: object - type: array - rateLimits: - description: RateLimits are used for all of the matching rules - items: - properties: - actions: - items: - description: Action_Specifier defines the envoy rate limit actions - properties: - generic_key: - properties: - descriptor_key: - type: string - descriptor_value: - type: string - required: - - descriptor_key - - descriptor_value - type: object - type: object - type: array - stage: - description: 'Definfing phase at which rate limits will be applied. Valid values are: PREAUTH, POSTAUTH, BOTH' - enum: - - PREAUTH - - POSTAUTH - - BOTH - type: string - required: - - stage - type: object - type: array - routes: - description: route specific staging and actions - items: - properties: - name: - description: name of the route present in the virutalservice - type: string - rateLimits: - items: - properties: - actions: - items: - description: Action_Specifier defines the envoy rate limit actions - properties: - generic_key: - properties: - descriptor_key: - type: string - descriptor_value: - type: string - required: - - descriptor_key - - descriptor_value - type: object - type: object - type: array - stage: - description: 'Definfing phase at which rate limits will be applied. Valid values are: PREAUTH, POSTAUTH, BOTH' - enum: - - PREAUTH - - POSTAUTH - - BOTH - type: string - required: - - stage - type: object - type: array - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - status: - description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy - properties: - virtualservices: - description: VirtualServices represents the current VirtualService objects with reference to this ratelimitpolicy object - items: - properties: - gateways: - items: - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - type: array - name: - type: string - required: - - name - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: kuadrant - name: kuadrant-controller-manager - namespace: kuadrant-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: kuadrant - name: kuadrant-leader-election-role - namespace: kuadrant-system -rules: -- apiGroups: - - "" - - coordination.k8s.io - resources: - - configmaps - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - app: kuadrant - name: kuadrant-manager-role -rules: -- apiGroups: - - apim.kuadrant.io - resources: - - ratelimitpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apim.kuadrant.io - resources: - - ratelimitpolicies/finalizers - verbs: - - update -- apiGroups: - - apim.kuadrant.io - resources: - - ratelimitpolicies/status - verbs: - - get - - patch - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - limitador.kuadrant.io - resources: - - ratelimits - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.istio.io - resources: - - envoyfilters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.istio.io - resources: - - gateways - verbs: - - get - - list - - watch -- apiGroups: - - networking.istio.io - resources: - - virtualservices - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - security.istio.io - resources: - - authorizationpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: kuadrant - name: kuadrant-leader-election-rolebinding - namespace: kuadrant-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kuadrant-leader-election-role -subjects: -- kind: ServiceAccount - name: kuadrant-controller-manager - namespace: kuadrant-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: kuadrant - name: kuadrant-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuadrant-manager-role -subjects: -- kind: ServiceAccount - name: kuadrant-controller-manager - namespace: kuadrant-system ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: :8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: e358d637.kuadrant.io -kind: ConfigMap -metadata: - labels: - app: kuadrant - name: kuadrant-manager-config - namespace: kuadrant-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: kuadrant - control-plane: controller-manager - name: kuadrant-controller-manager-metrics-service - namespace: kuadrant-system -spec: - ports: - - name: metrics - port: 8080 - targetPort: metrics - selector: - app: kuadrant - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: kuadrant - control-plane: controller-manager - name: kuadrant-controller-manager - namespace: kuadrant-system -spec: - replicas: 1 - selector: - matchLabels: - app: kuadrant - control-plane: controller-manager - template: - metadata: - labels: - app: kuadrant - control-plane: controller-manager - spec: - containers: - - args: - - --config=controller_manager_config.yaml - command: - - /manager - image: quay.io/kuadrant/kuadrant-controller:main - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 8080 - name: metrics - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /controller_manager_config.yaml - name: manager-config - subPath: controller_manager_config.yaml - securityContext: - runAsNonRoot: true - serviceAccountName: kuadrant-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - configMap: - name: kuadrant-manager-config - name: manager-config diff --git a/limitadormanifests/assets.go b/limitadormanifests/assets.go deleted file mode 100644 index 21ecf94..0000000 --- a/limitadormanifests/assets.go +++ /dev/null @@ -1,32 +0,0 @@ -/* -Copyright 2021 Red Hat, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package limitadormanifests - -import ( - "embed" - - logf "sigs.k8s.io/controller-runtime/pkg/log" -) - -// Content holds limitador operator manifests -// -//go:embed autogenerated -var content embed.FS - -func OperatorContent() ([]byte, error) { - logf.Log.V(1).Info("Resource file", "name", "autogenerated/limitador-operator.yaml") - return content.ReadFile("autogenerated/limitador-operator.yaml") -} diff --git a/limitadormanifests/autogenerated/limitador-operator.yaml b/limitadormanifests/autogenerated/limitador-operator.yaml deleted file mode 100644 index 2a0c4a5..0000000 --- a/limitadormanifests/autogenerated/limitador-operator.yaml +++ /dev/null @@ -1,405 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: kuadrant-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: limitadors.limitador.kuadrant.io -spec: - group: limitador.kuadrant.io - names: - kind: Limitador - listKind: LimitadorList - plural: limitadors - singular: limitador - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Limitador is the Schema for the limitadors API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: LimitadorSpec defines the desired state of Limitador - properties: - replicas: - type: integer - version: - type: string - type: object - status: - description: LimitadorStatus defines the observed state of Limitador - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: ratelimits.limitador.kuadrant.io -spec: - group: limitador.kuadrant.io - names: - kind: RateLimit - listKind: RateLimitList - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RateLimit is the Schema for the ratelimits API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RateLimitSpec defines the desired state of RateLimit - properties: - conditions: - items: - type: string - type: array - max_value: - type: integer - namespace: - type: string - seconds: - type: integer - variables: - items: - type: string - type: array - required: - - conditions - - max_value - - namespace - - seconds - - variables - type: object - status: - description: RateLimitStatus defines the observed state of RateLimit - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: limitador-operator-controller-manager - namespace: kuadrant-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: limitador-operator-leader-election-role - namespace: kuadrant-system -rules: -- apiGroups: - - "" - - coordination.k8s.io - resources: - - configmaps - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: limitador-operator-manager-role -rules: -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - limitador.kuadrant.io - resources: - - limitadors - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - limitador.kuadrant.io - resources: - - limitadors/finalizers - verbs: - - update -- apiGroups: - - limitador.kuadrant.io - resources: - - limitadors/status - verbs: - - get - - patch - - update -- apiGroups: - - limitador.kuadrant.io - resources: - - ratelimits - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - limitador.kuadrant.io - resources: - - ratelimits/finalizers - verbs: - - update -- apiGroups: - - limitador.kuadrant.io - resources: - - ratelimits/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: limitador-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: limitador-operator-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: limitador-operator-leader-election-rolebinding - namespace: kuadrant-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: limitador-operator-leader-election-role -subjects: -- kind: ServiceAccount - name: limitador-operator-controller-manager - namespace: kuadrant-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: limitador-operator-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: limitador-operator-manager-role -subjects: -- kind: ServiceAccount - name: limitador-operator-controller-manager - namespace: kuadrant-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: limitador-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: limitador-operator-proxy-role -subjects: -- kind: ServiceAccount - name: limitador-operator-controller-manager - namespace: kuadrant-system ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 3745a16e.kuadrant.io -kind: ConfigMap -metadata: - name: limitador-operator-manager-config - namespace: kuadrant-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: limitador-operator-controller-manager-metrics-service - namespace: kuadrant-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: limitador-operator-controller-manager - namespace: kuadrant-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - image: quay.io/kuadrant/limitador-operator:main - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - securityContext: - runAsNonRoot: true - serviceAccountName: limitador-operator-controller-manager - terminationGracePeriodSeconds: 10 diff --git a/make/gateway-api.mk b/make/gateway-api.mk new file mode 100644 index 0000000..81bd84e --- /dev/null +++ b/make/gateway-api.mk @@ -0,0 +1,5 @@ +##@ Gateway API resources + +.PHONY: gateway-api-install +gateway-api-install: kustomize ## Install Gateway API CRDs + $(KUSTOMIZE) build config/gateway-api | kubectl apply -f - diff --git a/make/istio.mk b/make/istio.mk new file mode 100644 index 0000000..9644f45 --- /dev/null +++ b/make/istio.mk @@ -0,0 +1,25 @@ + +##@ Istio + +## Targets to help install and configure istio + +# istioctl tool +ISTIOCTL=$(shell pwd)/bin/istioctl +ISTIOVERSION = 1.19.3 +$(ISTIOCTL): + mkdir -p $(shell pwd)/bin + $(eval TMP := $(shell mktemp -d)) + cd $(TMP); curl -sSL https://istio.io/downloadIstio | ISTIO_VERSION=$(ISTIOVERSION) sh - + cp $(TMP)/istio-$(ISTIOVERSION)/bin/istioctl ${ISTIOCTL} + -rm -rf $(TMP) + +.PHONY: istioctl +istioctl: $(ISTIOCTL) ## Download istioctl locally if necessary. + +.PHONY: istio-install +istio-install: istioctl ## Install istio. + $(ISTIOCTL) install --set profile=demo -y + +.PHONY: istio-uninstall +istio-uninstall: istioctl ## Uninstall istio. + $(ISTIOCTL) uninstall -y --purge diff --git a/make/kind.mk b/make/kind.mk new file mode 100644 index 0000000..4c26b5b --- /dev/null +++ b/make/kind.mk @@ -0,0 +1,14 @@ + +##@ Kind + +## Targets to help install and use kind for development https://kind.sigs.k8s.io + +KIND_CLUSTER_NAME ?= kuadrant-local + +.PHONY: kind-create-cluster +kind-create-cluster: kind ## Create the "kuadrant-local" kind cluster. + $(KIND) create cluster --name $(KIND_CLUSTER_NAME) --config utils/kind-cluster.yaml + +.PHONY: kind-delete-cluster +kind-delete-cluster: kind ## Delete the "kuadrant-local" kind cluster. + - $(KIND) delete cluster --name $(KIND_CLUSTER_NAME) diff --git a/make/lint.mk b/make/lint.mk new file mode 100644 index 0000000..45842b0 --- /dev/null +++ b/make/lint.mk @@ -0,0 +1,11 @@ +GOLANGCI-LINT=$(PROJECT_PATH)/bin/golangci-lint +$(GOLANGCI-LINT): + mkdir -p $(PROJECT_PATH)/bin + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(PROJECT_PATH)/bin v1.41.1 + +.PHONY: golangci-lint +golangci-lint: $(GOLANGCI-LINT) + +.PHONY: run-lint +run-lint: $(GOLANGCI-LINT) + $(GOLANGCI-LINT) run --timeout 2m diff --git a/make/olm.mk b/make/olm.mk new file mode 100644 index 0000000..59e5e27 --- /dev/null +++ b/make/olm.mk @@ -0,0 +1,5 @@ +##@ Install Operator Lifecycle Manager (OLM), a tool to help manage the Operators running on your cluster. + +.PHONY: olm-install +olm-install: + curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.26.0/install.sh | bash -s v0.26.0 diff --git a/utils.mk b/make/utils.mk similarity index 84% rename from utils.mk rename to make/utils.mk index ec89cb8..5424874 100644 --- a/utils.mk +++ b/make/utils.mk @@ -6,7 +6,7 @@ TMP_DIR=$$(mktemp -d) ;\ cd $$TMP_DIR ;\ go mod init tmp ;\ echo "Downloading $(2)" ;\ -GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\ +GOBIN=$(PROJECT_PATH)/bin go install $(2) ;\ rm -rf $$TMP_DIR ;\ } endef diff --git a/pkg/authorino/auth_config.go b/pkg/authorino/auth_config.go deleted file mode 100644 index d81be0c..0000000 --- a/pkg/authorino/auth_config.go +++ /dev/null @@ -1,134 +0,0 @@ -package authorino - -import ( - "fmt" - "strings" - - "github.com/getkin/kin-openapi/openapi3" - authorinov1beta1 "github.com/kuadrant/authorino/api/v1beta1" - - "github.com/kuadrant/kuadrantctl/pkg/utils" -) - -func AuthConfigIdentitiesFromOpenAPI(oasDoc *openapi3.T) ([]*authorinov1beta1.Identity, error) { - identities := []*authorinov1beta1.Identity{} - - workloadName, err := utils.K8sNameFromOpenAPITitle(oasDoc) - if err != nil { - return nil, err - } - - for path, pathItem := range oasDoc.Paths { - for opVerb, operation := range pathItem.Operations() { - secReqsP := utils.OpenAPIOperationSecRequirements(oasDoc, operation) - - if secReqsP == nil { - continue - } - - for _, secReq := range *secReqsP { - // Authorino AuthConfig currently only supports one identity method for each identity evaluator. - // It does not support, for instance, auth based on two api keys or api key AND oidc. - // Thus, some OpenAPI 3.X security requirements are not supported: - // - // Not Supported: - // security: - // - petstore_api_key: [] - // toystore_api_key: [] - // toystore_oidc: [] - // - // Supported: - // security: - // - petstore_api_key: [] - // - toystore_api_key: [] - // - toystore_oidc: [] - // - - // scopes not being used now - for secSchemeName := range secReq { - - secSchemeI, err := oasDoc.Components.SecuritySchemes.JSONLookup(secSchemeName) - if err != nil { - return nil, err - } - - secScheme := secSchemeI.(*openapi3.SecurityScheme) // panic if assertion fails - - identity, err := AuthConfigIdentityFromSecurityRequirement( - operation.OperationID, // TODO(eastizle): OperationID can be null, fallback to some custom name - path, opVerb, workloadName, secScheme) - if err != nil { - return nil, err - } - - identities = append(identities, identity) - // currently only support for one schema per requirement - break - } - } - - } - } - return identities, nil -} - -func AuthConfigConditionsFromOperation(opPath, opVerb string) []authorinov1beta1.JSONPattern { - return []authorinov1beta1.JSONPattern{ - { - JSONPatternExpression: authorinov1beta1.JSONPatternExpression{ - Selector: `context.request.http.path.@extract:{"sep":"/"}`, - Operator: "eq", - Value: opPath, - }, - }, - { - JSONPatternExpression: authorinov1beta1.JSONPatternExpression{ - Selector: "context.request.http.method.@case:lower", - Operator: "eq", - Value: strings.ToLower(opVerb), - }, - }, - } -} - -func AuthConfigIdentityFromSecurityRequirement(name, opPath, opVerb, workloadName string, secScheme *openapi3.SecurityScheme) (*authorinov1beta1.Identity, error) { - if secScheme == nil { - return nil, fmt.Errorf("sec scheme nil for operation path:%s method:%s", opPath, opVerb) - } - - identity := &authorinov1beta1.Identity{ - Name: name, - Conditions: AuthConfigConditionsFromOperation(opPath, opVerb), - } - - switch secScheme.Type { - case "apiKey": - AuthConfigIdentityFromApiKeyScheme(identity, secScheme, workloadName) - case "openIdConnect": - AuthConfigIdentityFromOIDCScheme(identity, secScheme) - default: - return nil, fmt.Errorf("sec scheme type %s not supported for path:%s method:%s", secScheme.Type, opPath, opVerb) - } - - return identity, nil -} - -func AuthConfigIdentityFromApiKeyScheme(identity *authorinov1beta1.Identity, secScheme *openapi3.SecurityScheme, workloadName string) { - // Fixed label selector for now - apikey := authorinov1beta1.Identity_APIKey{ - LabelSelectors: map[string]string{ - "authorino.kuadrant.io/managed-by": "authorino", - "app": workloadName, - }, - } - - identity.Credentials.In = authorinov1beta1.Credentials_In(secScheme.In) - identity.Credentials.KeySelector = secScheme.Name - identity.APIKey = &apikey -} - -func AuthConfigIdentityFromOIDCScheme(identity *authorinov1beta1.Identity, secScheme *openapi3.SecurityScheme) { - identity.Oidc = &authorinov1beta1.Identity_OidcConfig{ - Endpoint: secScheme.OpenIdConnectUrl, - } -} diff --git a/pkg/authorino/authorino.go b/pkg/authorino/authorino.go deleted file mode 100644 index fea8bf8..0000000 --- a/pkg/authorino/authorino.go +++ /dev/null @@ -1,35 +0,0 @@ -package authorino - -import ( - authorinov1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func Authorino(ns string) *authorinov1beta1.Authorino { - tlsEnabledTmp := false - return &authorinov1beta1.Authorino{ - TypeMeta: metav1.TypeMeta{ - Kind: "Authorino", - APIVersion: "operator.authorino.kuadrant.io/v1beta1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "authorino", - Namespace: ns, - }, - Spec: authorinov1beta1.AuthorinoSpec{ - Image: "quay.io/3scale/authorino:v0.7.0", - ClusterWide: true, - Listener: authorinov1beta1.Listener{ - Tls: authorinov1beta1.Tls{ - Enabled: &tlsEnabledTmp, - }, - }, - OIDCServer: authorinov1beta1.OIDCServer{ - Tls: authorinov1beta1.Tls{ - Enabled: &tlsEnabledTmp, - }, - }, - SecretLabelSelectors: "authorino.kuadrant.io/managed-by=authorino", - }, - } -} diff --git a/pkg/gatewayapi/http_route.go b/pkg/gatewayapi/http_route.go index a8003b6..521056a 100644 --- a/pkg/gatewayapi/http_route.go +++ b/pkg/gatewayapi/http_route.go @@ -3,11 +3,12 @@ package gatewayapi import ( "github.com/getkin/kin-openapi/openapi3" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) func HTTPRouteMatchesFromOAS(doc *openapi3.T) ([]gatewayapiv1alpha2.HTTPRouteMatch, error) { httpRouteMatches := []gatewayapiv1alpha2.HTTPRouteMatch{} - pathMatchExactPath := gatewayapiv1alpha2.PathMatchExact + pathMatchExactPath := gatewayapiv1beta1.PathMatchExact for path, pathItem := range doc.Paths { @@ -37,8 +38,8 @@ func HTTPRouteMatchesFromOAS(doc *openapi3.T) ([]gatewayapiv1alpha2.HTTPRouteMat } func addRuleMatcherFromParams(params openapi3.Parameters, headers []gatewayapiv1alpha2.HTTPHeaderMatch, queryParams []gatewayapiv1alpha2.HTTPQueryParamMatch) ([]gatewayapiv1alpha2.HTTPHeaderMatch, []gatewayapiv1alpha2.HTTPQueryParamMatch) { - headerMatchType := gatewayapiv1alpha2.HeaderMatchExact - queryParamMatchExact := gatewayapiv1alpha2.QueryParamMatchExact + headerMatchType := gatewayapiv1beta1.HeaderMatchExact + queryParamMatchExact := gatewayapiv1beta1.QueryParamMatchExact for _, parameter := range params { if !parameter.Value.Required { diff --git a/pkg/istio/authorizationpolicy.go b/pkg/istio/authorizationpolicy.go deleted file mode 100644 index dfea3e9..0000000 --- a/pkg/istio/authorizationpolicy.go +++ /dev/null @@ -1,39 +0,0 @@ -package istio - -import ( - "github.com/getkin/kin-openapi/openapi3" - istiosecurityapi "istio.io/api/security/v1beta1" - - "github.com/kuadrant/kuadrantctl/pkg/utils" -) - -func AuthorizationPolicyRulesFromOpenAPI(oasDoc *openapi3.T, publicDomain string) []*istiosecurityapi.Rule { - rules := []*istiosecurityapi.Rule{} - - for path, pathItem := range oasDoc.Paths { - for opVerb, operation := range pathItem.Operations() { - secReqsP := utils.OpenAPIOperationSecRequirements(oasDoc, operation) - - if secReqsP == nil || len(*secReqsP) == 0 { - continue - } - - // there is at least one sec requirement for this operation, - // add the operation to authorization policy rules - rule := &istiosecurityapi.Rule{ - To: []*istiosecurityapi.Rule_To{ - { - Operation: &istiosecurityapi.Operation{ - Hosts: []string{publicDomain}, - Methods: []string{opVerb}, - Paths: []string{path}, - }, - }, - }, - } - - rules = append(rules, rule) - } - } - return rules -} diff --git a/pkg/istio/http_route.go b/pkg/istio/http_route.go deleted file mode 100644 index c80bf58..0000000 --- a/pkg/istio/http_route.go +++ /dev/null @@ -1,44 +0,0 @@ -package istio - -import ( - "github.com/getkin/kin-openapi/openapi3" - istioapi "istio.io/api/networking/v1beta1" -) - -func HTTPRoutesFromOpenAPI(oasDoc *openapi3.T, destination *istioapi.Destination, pathMatchPrefix bool) ([]*istioapi.HTTPRoute, error) { - httpRoutes := []*istioapi.HTTPRoute{} - - // Path based routing - for path, pathItem := range oasDoc.Paths { - - var pathMatchType *istioapi.StringMatch - if pathMatchPrefix { - pathMatchType = &istioapi.StringMatch{ - MatchType: &istioapi.StringMatch_Prefix{Prefix: path}, - } - } else { - pathMatchType = &istioapi.StringMatch{ - MatchType: &istioapi.StringMatch_Exact{Exact: path}, - } - } - - for opVerb, operation := range pathItem.Operations() { - httpRoute := &istioapi.HTTPRoute{ - // TODO(eastizle): OperationID can be null, fallback to some custom name - Name: operation.OperationID, - Match: []*istioapi.HTTPMatchRequest{ - { - Uri: pathMatchType, - Method: &istioapi.StringMatch{ - MatchType: &istioapi.StringMatch_Exact{Exact: opVerb}, - }, - }, - }, - Route: []*istioapi.HTTPRouteDestination{{Destination: destination}}, - } - httpRoutes = append(httpRoutes, httpRoute) - } - } - - return httpRoutes, nil -} diff --git a/pkg/limitador/limitador.go b/pkg/limitador/limitador.go deleted file mode 100644 index 4b5d0f5..0000000 --- a/pkg/limitador/limitador.go +++ /dev/null @@ -1,23 +0,0 @@ -package limitador - -import ( - limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func Limitador(ns string) *limitadorv1alpha1.Limitador { - tmpVersion := "0.4.0" - return &limitadorv1alpha1.Limitador{ - TypeMeta: metav1.TypeMeta{ - Kind: "Limitador", - APIVersion: "limitador.kuadrant.io/v1alpha1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "limitador", - Namespace: ns, - }, - Spec: limitadorv1alpha1.LimitadorSpec{ - Version: &tmpVersion, - }, - } -} diff --git a/pkg/utils/scheme.go b/pkg/utils/scheme.go index a3bd811..c500ac7 100644 --- a/pkg/utils/scheme.go +++ b/pkg/utils/scheme.go @@ -1,10 +1,8 @@ package utils import ( - authorinov1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" - networkingv1beta1 "github.com/kuadrant/kuadrant-controller/apis/networking/v1beta1" - limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" - istio "istio.io/client-go/pkg/apis/networking/v1alpha3" + kuadrantoperator "github.com/kuadrant/kuadrant-operator/api/v1beta1" + operators "github.com/operator-framework/api/pkg/operators/v1alpha1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/client-go/kubernetes/scheme" ) @@ -15,22 +13,12 @@ func SetupScheme() error { return err } - err = istio.AddToScheme(scheme.Scheme) + err = operators.AddToScheme(scheme.Scheme) if err != nil { return err } - err = networkingv1beta1.AddToScheme(scheme.Scheme) - if err != nil { - return err - } - - err = limitadorv1alpha1.AddToScheme(scheme.Scheme) - if err != nil { - return err - } - - err = authorinov1beta1.AddToScheme(scheme.Scheme) + err = kuadrantoperator.AddToScheme(scheme.Scheme) if err != nil { return err } diff --git a/pkg/utils/utils.coverprofile b/pkg/utils/utils.coverprofile new file mode 100644 index 0000000..dbcac2a --- /dev/null +++ b/pkg/utils/utils.coverprofile @@ -0,0 +1,68 @@ +mode: atomic +github.com/kuadrant/kuadrantctl/pkg/utils/external_resource_reader.go:27.60,28.21 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/external_resource_reader.go:28.21,30.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/external_resource_reader.go:32.2,32.45 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/external_resource_reader.go:32.45,34.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/external_resource_reader.go:37.2,37.34 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:25.44,28.2 2 9 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:30.49,32.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:32.16,34.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:35.2,37.16 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:37.16,39.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/http_utils.go:40.2,40.18 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:32.81,34.9 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:34.9,36.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:38.2,40.16 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:40.16,42.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:44.2,44.37 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:44.37,46.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:49.2,51.9 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:51.9,53.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:54.2,55.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:55.16,57.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:59.2,62.16 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:62.16,64.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:66.2,69.9 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:69.9,71.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:73.2,75.12 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:78.77,80.9 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:80.9,82.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:83.2,87.16 4 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:87.16,88.37 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:88.37,91.4 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:91.9,93.4 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:95.2,95.12 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:98.73,100.9 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:100.9,102.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:103.2,107.46 4 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:107.46,110.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:111.2,111.12 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:116.56,118.43 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:118.43,119.99 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:119.99,121.4 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:123.2,123.14 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:126.96,129.16 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:129.16,130.32 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:130.32,133.4 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:135.3,135.20 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:138.2,138.48 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:138.48,143.3 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/k8s_utils.go:145.2,146.18 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:17.63,26.25 5 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:26.25,29.3 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:30.2,30.21 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:33.40,36.16 3 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:36.16,38.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:40.2,41.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:41.16,43.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:45.2,45.12 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:48.120,49.31 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:49.31,51.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/oas3.go:52.2,52.27 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:10.26,12.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:12.16,14.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:16.2,17.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:17.16,19.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:21.2,22.16 2 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:22.16,24.3 1 0 +github.com/kuadrant/kuadrantctl/pkg/utils/scheme.go:26.2,26.12 1 0 diff --git a/pkg/utils/version_parser.go b/pkg/utils/version_parser.go deleted file mode 100644 index 5c4deea..0000000 --- a/pkg/utils/version_parser.go +++ /dev/null @@ -1,124 +0,0 @@ -package utils - -import ( - appsv1 "k8s.io/api/apps/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/kubernetes/scheme" - - "github.com/kuadrant/kuadrantctl/authorinomanifests" - "github.com/kuadrant/kuadrantctl/istiomanifests" - "github.com/kuadrant/kuadrantctl/kuadrantmanifests" - "github.com/kuadrant/kuadrantctl/limitadormanifests" -) - -func IstioImage() (string, error) { - istioImage := "unknown" - - istioParser := func(obj runtime.Object) error { - if deployment, ok := obj.(*appsv1.Deployment); ok { - if deployment.GetName() == "istiod" { - istioImage = deployment.Spec.Template.Spec.Containers[0].Image - } - } - return nil - } - - istioPilotContent, err := istiomanifests.PilotContent() - if err != nil { - return "", err - } - - err = DecodeFile(istioPilotContent, scheme.Scheme, istioParser) - if err != nil { - return "", err - } - - return istioImage, nil -} - -func LimitadorOperatorImage() (string, error) { - image := "unknown" - - parser := func(obj runtime.Object) error { - if deployment, ok := obj.(*appsv1.Deployment); ok { - if deployment.GetName() == "limitador-operator-controller-manager" { - for _, container := range deployment.Spec.Template.Spec.Containers { - if container.Name == "manager" { - image = container.Image - } - } - } - } - return nil - } - - content, err := limitadormanifests.OperatorContent() - if err != nil { - return "", err - } - - err = DecodeFile(content, scheme.Scheme, parser) - if err != nil { - return "", err - } - - return image, nil -} - -func KuadrantControllerImage() (string, error) { - image := "unknown" - - parser := func(obj runtime.Object) error { - if deployment, ok := obj.(*appsv1.Deployment); ok { - if deployment.GetName() == "kuadrant-controller-manager" { - for _, container := range deployment.Spec.Template.Spec.Containers { - if container.Name == "manager" { - image = container.Image - } - } - } - } - return nil - } - - content, err := kuadrantmanifests.Content() - if err != nil { - return "", err - } - - err = DecodeFile(content, scheme.Scheme, parser) - if err != nil { - return "", err - } - - return image, nil -} - -func AuthorinoOperatorImage() (string, error) { - image := "unknown" - - parser := func(obj runtime.Object) error { - if deployment, ok := obj.(*appsv1.Deployment); ok { - if deployment.GetName() == "authorino-operator-controller-manager" { - for _, container := range deployment.Spec.Template.Spec.Containers { - if container.Name == "manager" { - image = container.Image - } - } - } - } - return nil - } - - content, err := authorinomanifests.OperatorContent() - if err != nil { - return "", err - } - - err = DecodeFile(content, scheme.Scheme, parser) - if err != nil { - return "", err - } - - return image, nil -} diff --git a/pkg/utils/yaml_decoder.go b/pkg/utils/yaml_decoder.go deleted file mode 100644 index 2cdb928..0000000 --- a/pkg/utils/yaml_decoder.go +++ /dev/null @@ -1,66 +0,0 @@ -/* -Copyright 2021 Red Hat, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package utils - -import ( - "bytes" - "io" - "io/ioutil" - - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/serializer" - "k8s.io/apimachinery/pkg/util/yaml" - logf "sigs.k8s.io/controller-runtime/pkg/log" -) - -type DecodeCallback = func(runtime.Object) error - -func DecodeFile(fileData []byte, scheme *runtime.Scheme, cb DecodeCallback) error { - codec := serializer.NewCodecFactory(scheme) - decoder := codec.UniversalDeserializer() - - // the maximum size used to buffer a doc 5M - buf := make([]byte, 5*1024*1024) - docDecoder := yaml.NewDocumentDecoder(ioutil.NopCloser(bytes.NewReader(fileData))) - - for { - n, err := docDecoder.Read(buf) - if err != nil { - if err == io.EOF { - break - } - return err - } - - if n == 0 { - // empty docs - continue - } - - docData := buf[:n] - obj, _, err := decoder.Decode(docData, nil, nil) - if err != nil { - logf.Log.Info("Document decode error", "error", err) - continue - } - - err = cb(obj) - if err != nil { - return err - } - } - return nil -} diff --git a/utils/kind/cluster.yaml b/utils/kind-cluster.yaml similarity index 100% rename from utils/kind/cluster.yaml rename to utils/kind-cluster.yaml