From 78866c0fe380c687018f531aad1a8b4eb4c12f3c Mon Sep 17 00:00:00 2001 From: KevFan Date: Fri, 8 Nov 2024 13:55:52 +0000 Subject: [PATCH] feat: validate authorino operator crd is installed for auth policy status Signed-off-by: KevFan --- controllers/auth_policies_validator.go | 7 +- controllers/data_plane_policies_workflow.go | 4 +- controllers/state_of_the_world.go | 110 ++++++++++++++------ 3 files changed, 85 insertions(+), 36 deletions(-) diff --git a/controllers/auth_policies_validator.go b/controllers/auth_policies_validator.go index ac232735b..58e54cd9f 100644 --- a/controllers/auth_policies_validator.go +++ b/controllers/auth_policies_validator.go @@ -15,7 +15,9 @@ import ( kuadrant "github.com/kuadrant/kuadrant-operator/pkg/kuadrant" ) -type AuthPolicyValidator struct{} +type AuthPolicyValidator struct { + isAuthorinoOperatorInstalled bool +} // AuthPolicyValidator subscribes to events with potential to flip the validity of auth policies func (r *AuthPolicyValidator) Subscription() controller.Subscription { @@ -41,6 +43,9 @@ func (r *AuthPolicyValidator) Validate(ctx context.Context, _ []controller.Resou defer logger.V(1).Info("finished validating auth policies") state.Store(StateAuthPolicyValid, lo.SliceToMap(policies, func(policy machinery.Policy) (string, error) { + if !r.isAuthorinoOperatorInstalled { + return policy.GetLocator(), kuadrant.NewErrDependencyNotInstalled("Authorino Operator") + } var err error if len(policy.GetTargetRefs()) > 0 && len(topology.Targetables().Children(policy)) == 0 { ref := policy.GetTargetRefs()[0] diff --git a/controllers/data_plane_policies_workflow.go b/controllers/data_plane_policies_workflow.go index dd854825e..bacd138b4 100644 --- a/controllers/data_plane_policies_workflow.go +++ b/controllers/data_plane_policies_workflow.go @@ -54,10 +54,10 @@ var ( //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update -func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled, isLimitadorOperatorInstalled bool) *controller.Workflow { +func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled, isLimitadorOperatorInstalled, isAuthorinoOperatorInstalled bool) *controller.Workflow { dataPlanePoliciesValidation := &controller.Workflow{ Tasks: []controller.ReconcileFunc{ - (&AuthPolicyValidator{}).Subscription().Reconcile, + (&AuthPolicyValidator{isAuthorinoOperatorInstalled: isAuthorinoOperatorInstalled}).Subscription().Reconcile, (&RateLimitPolicyValidator{isLimitadorOperatorInstalled: isLimitadorOperatorInstalled}).Subscription().Reconcile, }, } diff --git a/controllers/state_of_the_world.go b/controllers/state_of_the_world.go index 579caa8e5..3fd231e0a 100644 --- a/controllers/state_of_the_world.go +++ b/controllers/state_of_the_world.go @@ -112,23 +112,6 @@ func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.D controller.WithPredicates(&ctrlruntimepredicate.TypedGenerationChangedPredicate[*corev1.ConfigMap]{}), controller.FilterResourcesByLabel[*corev1.ConfigMap](fmt.Sprintf("%s=true", kuadrant.TopologyLabel)), )), - // TODO: Move as boot options for Limitador and Authorino as there can be a possibility that the operators are not installed - controller.WithRunnable("limitador watcher", controller.Watch( - &limitadorv1alpha1.Limitador{}, - kuadrantv1beta1.LimitadorsResource, - metav1.NamespaceAll, - )), - controller.WithRunnable("authorino watcher", controller.Watch( - &authorinooperatorv1beta1.Authorino{}, - kuadrantv1beta1.AuthorinosResource, - metav1.NamespaceAll, - )), - controller.WithRunnable("authconfig watcher", controller.Watch( - &authorinov1beta3.AuthConfig{}, - authorino.AuthConfigsResource, - metav1.NamespaceAll, - controller.FilterResourcesByLabel[*authorinov1beta3.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)), - )), controller.WithPolicyKinds( kuadrantv1.DNSPolicyGroupKind, kuadrantv1.TLSPolicyGroupKind, @@ -138,15 +121,9 @@ func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.D controller.WithObjectKinds( kuadrantv1beta1.KuadrantGroupKind, ConfigMapGroupKind, - kuadrantv1beta1.LimitadorGroupKind, - kuadrantv1beta1.AuthorinoGroupKind, - authorino.AuthConfigGroupKind, ), controller.WithObjectLinks( kuadrantv1beta1.LinkKuadrantToGatewayClasses, - kuadrantv1beta1.LinkKuadrantToLimitador, - kuadrantv1beta1.LinkKuadrantToAuthorino, - authorino.LinkHTTPRouteRuleToAuthConfig, ), } @@ -174,12 +151,14 @@ type BootOptionsBuilder struct { client *dynamic.DynamicClient // Internal configurations - isGatewayAPIInstalled bool - isEnvoyGatewayInstalled bool - isIstioInstalled bool - isCertManagerInstalled bool - isConsolePluginInstalled bool - isDNSOperatorInstalled bool + isGatewayAPIInstalled bool + isEnvoyGatewayInstalled bool + isIstioInstalled bool + isCertManagerInstalled bool + isConsolePluginInstalled bool + isDNSOperatorInstalled bool + isLimitadorOperatorInstalled bool + isAuthorinoOperatorInstalled bool } func (b *BootOptionsBuilder) getOptions() []controller.ControllerOption { @@ -190,6 +169,8 @@ func (b *BootOptionsBuilder) getOptions() []controller.ControllerOption { opts = append(opts, b.getCertManagerOptions()...) opts = append(opts, b.getConsolePluginOptions()...) opts = append(opts, b.getDNSOperatorOptions()...) + opts = append(opts, b.getLimitadorOperatorOptions()...) + opts = append(opts, b.getAuthorinoOperatorOptions()...) return opts } @@ -252,7 +233,6 @@ func (b *BootOptionsBuilder) getEnvoyGatewayOptions() []controller.ControllerOpt envoygateway.LinkGatewayToEnvoyExtensionPolicy, ), ) - // TODO: add specific tasks to workflow } return opts @@ -287,7 +267,6 @@ func (b *BootOptionsBuilder) getIstioOptions() []controller.ControllerOption { istio.LinkGatewayToWasmPlugin, ), ) - // TODO: add istio specific tasks to workflow } return opts @@ -327,7 +306,7 @@ func (b *BootOptionsBuilder) getConsolePluginOptions() []controller.ControllerOp func (b *BootOptionsBuilder) getDNSOperatorOptions() []controller.ControllerOption { var opts []controller.ControllerOption var err error - b.isDNSOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantdnsv1alpha1.GroupVersion.Group, "DNSRecord", kuadrantdnsv1alpha1.GroupVersion.Version) + b.isDNSOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), DNSRecordGroupKind.Group, DNSRecordGroupKind.Kind, kuadrantdnsv1alpha1.GroupVersion.Version) if err != nil || !b.isDNSOperatorInstalled { b.logger.Info("dns operator is not installed, skipping related watches and reconcilers", "err", err) } else { @@ -348,6 +327,71 @@ func (b *BootOptionsBuilder) getDNSOperatorOptions() []controller.ControllerOpti return opts } +func (b *BootOptionsBuilder) getLimitadorOperatorOptions() []controller.ControllerOption { + var opts []controller.ControllerOption + var err error + b.isLimitadorOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantv1beta1.LimitadorGroupKind.Group, kuadrantv1beta1.LimitadorGroupKind.Kind, limitadorv1alpha1.GroupVersion.Version) + if err != nil || !b.isLimitadorOperatorInstalled { + b.logger.Info("limitador operator is not installed, skipping related watches and reconcilers", "err", err) + } else { + opts = append(opts, + controller.WithRunnable("limitador watcher", controller.Watch( + &limitadorv1alpha1.Limitador{}, + kuadrantv1beta1.LimitadorsResource, + metav1.NamespaceAll, + )), + controller.WithObjectKinds( + kuadrantv1beta1.LimitadorGroupKind, + ), + controller.WithObjectLinks( + kuadrantv1beta1.LinkKuadrantToLimitador, + ), + ) + } + + return opts +} + +func (b *BootOptionsBuilder) getAuthorinoOperatorOptions() []controller.ControllerOption { + var opts []controller.ControllerOption + var err error + b.isAuthorinoOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), kuadrantv1beta1.AuthorinoGroupKind.Group, kuadrantv1beta1.AuthorinoGroupKind.Kind, authorinooperatorv1beta1.GroupVersion.Version) + if err != nil || !b.isAuthorinoOperatorInstalled { + b.logger.Info("authorino operator is not installed, skipping related watches and reconcilers", "err", err) + return opts + } + + b.isAuthorinoOperatorInstalled, err = utils.IsCRDInstalled(b.manager.GetRESTMapper(), authorino.AuthConfigGroupKind.Group, authorino.AuthConfigGroupKind.Kind, authorinov1beta3.GroupVersion.Version) + if err != nil || !b.isAuthorinoOperatorInstalled { + b.logger.Info("authorino operator is not installed, skipping related watches and reconcilers", "err", err) + return opts + } + + opts = append(opts, + controller.WithRunnable("authorino watcher", controller.Watch( + &authorinooperatorv1beta1.Authorino{}, + kuadrantv1beta1.AuthorinosResource, + metav1.NamespaceAll, + )), + controller.WithRunnable("authconfig watcher", controller.Watch( + &authorinov1beta3.AuthConfig{}, + authorino.AuthConfigsResource, + metav1.NamespaceAll, + controller.FilterResourcesByLabel[*authorinov1beta3.AuthConfig](fmt.Sprintf("%s=true", kuadrantManagedLabelKey)), + )), + controller.WithObjectKinds( + kuadrantv1beta1.AuthorinoGroupKind, + authorino.AuthConfigGroupKind, + ), + controller.WithObjectLinks( + kuadrantv1beta1.LinkKuadrantToAuthorino, + authorino.LinkHTTPRouteRuleToAuthConfig, + ), + ) + + return opts +} + func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc { mainWorkflow := &controller.Workflow{ Precondition: initWorkflow(b.client).Run, @@ -356,7 +400,7 @@ func (b *BootOptionsBuilder) Reconciler() controller.ReconcileFunc { NewLimitadorReconciler(b.client).Subscription().Reconcile, NewDNSWorkflow(b.client, b.manager.GetScheme(), b.isDNSOperatorInstalled).Run, NewTLSWorkflow(b.client, b.manager.GetScheme(), b.isCertManagerInstalled).Run, - NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Run, + NewDataPlanePoliciesWorkflow(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled, b.isLimitadorOperatorInstalled, b.isAuthorinoOperatorInstalled).Run, NewKuadrantStatusUpdater(b.client, b.isIstioInstalled, b.isEnvoyGatewayInstalled).Subscription().Reconcile, }, Postcondition: finalStepsWorkflow(b.client, b.isIstioInstalled, b.isGatewayAPIInstalled).Run,