diff --git a/api/v1/types.go b/api/v1/types.go index 4499fcf41..e88f4a261 100644 --- a/api/v1/types.go +++ b/api/v1/types.go @@ -451,6 +451,10 @@ type ContainerTemplate struct { // PrivateKey is a private key used for a certificate/private-key pair // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Private key for certificate/private-key pair" PrivateKey string `json:"privateKey,omitempty" yaml:"privateKey,omitempty"` + + // CertificateAuthority is a certificate authority used to validate a certificate + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Certificate authority for validating a certificate" + CertificateAuthority string `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"` } // SnapshotClass struct diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index cf3dbcd46..b64fc8865 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -471,6 +471,87 @@ rules: - get - list - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + - csmtenants + - storages + verbs: + - get + - list +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/status + verbs: + - get + - patch + - update - apiGroups: - discovery.k8s.io resources: @@ -1053,6 +1134,8 @@ rules: verbs: - create - delete + - get - list + - patch - update - watch diff --git a/controllers/csm_controller.go b/controllers/csm_controller.go index dc90d58ef..2bdba4764 100644 --- a/controllers/csm_controller.go +++ b/controllers/csm_controller.go @@ -135,7 +135,7 @@ var ( // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshotcontents/status,verbs=get;list;watch;patch;update // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshots,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshots/status,verbs=get;list;watch;update;patch -// +kubebuilder:rbac:groups="volumegroup.storage.dell.com",resources=dellcsivolumegroupsnapshots;dellcsivolumegroupsnapshots/status,verbs=create;list;watch;delete;update +// +kubebuilder:rbac:groups="volumegroup.storage.dell.com",resources=dellcsivolumegroupsnapshots;dellcsivolumegroupsnapshots/status,verbs=create;list;watch;delete;update;get;patch // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=* // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions/status,verbs=get;list;patch;watch // +kubebuilder:rbac:groups="storage.k8s.io",resources=volumeattachments/status,verbs=patch @@ -218,6 +218,16 @@ var ( // +kubebuilder:rbac:groups="",resources=configmaps,resourceNames=cert-manager-cainjector-leader-election;cert-manager-cainjector-leader-election-core;cert-manager-controller,verbs=get;update;patch // +kubebuilder:rbac:groups="batch",resources=jobs,verbs=list;watch;create;update;delete // +kubebuilder:rbac:groups="storage.k8s.io",resources=csistoragecapacities,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages;csmtenants;csmroles,verbs=get;list +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages/status,verbs=get;update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/deploy/crds/storage.dell.com.crds.all.yaml b/deploy/crds/storage.dell.com.crds.all.yaml index 562b4a42f..79c61c3cd 100644 --- a/deploy/crds/storage.dell.com.crds.all.yaml +++ b/deploy/crds/storage.dell.com.crds.all.yaml @@ -76,6 +76,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -402,6 +405,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -717,6 +723,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1122,6 +1131,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1437,6 +1449,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1771,6 +1786,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -2084,6 +2102,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -2402,6 +2423,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -2741,6 +2765,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -3065,6 +3092,9 @@ spec: certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string diff --git a/deploy/operator.yaml b/deploy/operator.yaml index a0bfa2913..8e47bb17e 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -47,7 +47,6 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: dell-csm-operator-manager-role rules: - nonResourceURLs: @@ -517,6 +516,87 @@ rules: - get - list - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + - csmtenants + - storages + verbs: + - get + - list +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/status + verbs: + - get + - patch + - update - apiGroups: - discovery.k8s.io resources: @@ -1099,11 +1179,11 @@ rules: verbs: - create - delete + - get - list + - patch - update - watch - - get - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1249,8 +1329,6 @@ spec: metadata: labels: control-plane: controller-manager - annotations: - storage.dell.com/CSMVersion: v1.10.0 spec: containers: - args: diff --git a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml index d48c19d18..1ac00049c 100644 --- a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml index 4ff948e4c..741534e31 100644 --- a/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml index 5d4179ce0..be6d2f4a4 100644 --- a/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - app: storage-service - csm: - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml index 3e316b90c..dbd81d9c6 100644 --- a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml @@ -317,70 +317,6 @@ subjects: name: storage-service namespace: --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - env: - - name: NAMESPACE - value: - - name: SENTINELS - value: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - args: - - "--redis-sentinel=$(SENTINELS)" - - "--redis-password=$(REDIS_PASSWORD)" - - "--vault-address=" - - "--vault-kv-engine-path=" - - "--vault-skip-certificate-validation=" - - "--vault-role=" - - "--leader-election=" - ports: - - containerPort: 50051 - name: grpc - volumeMounts: - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - - name: vault-client-certificate - mountPath: /etc/vault - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params - - name: vault-client-certificate - projected: - sources: - - secret: - name: storage-service-selfsigned-tls ---- apiVersion: v1 kind: Service metadata: @@ -473,6 +409,9 @@ rules: - apiGroups: ["csm-authorization.storage.dell.com"] resources: ["storages/finalizers"] verbs: ["update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "delete", "list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -754,27 +693,41 @@ spec: nodes=$( echo "$nodes*$node" ) done loop=$(echo $nodes | sed -e "s/"*"/\n/g") - - for i in $loop - do - echo "Finding master at $i" - ROLE=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep role | cut -d ":" -f2) - if [ "$ROLE" = "master" ]; then - MASTER=$i.authorization.svc.cluster.local - echo "Master found at $MASTER..." - break - else - MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) - if [ "$MASTER" = "" ]; then - echo "Master not found..." - echo "Sleeping 5 seconds for pods to come up..." - sleep 5 - MASTER= - else + + foundMaster=$false + + while [ $foundMaster == $false ] + do + for i in $loop + do + echo "Finding master at $i" + ROLE=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep role | cut -d ":" -f2) + if [ "$ROLE" = "master" ]; then + MASTER=$i.authorization.svc.cluster.local echo "Master found at $MASTER..." + foundMaster=$true break + else + MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) + if [ "$MASTER" = "" ]; then + echo "Master not found..." + echo "Sleeping 5 seconds for redis pods to come up..." + sleep 5 + MASTER= + else + echo "Master found at $MASTER..." + foundMaster=$true + break + fi fi - fi + done + + if [ $foundMaster == $true ]; then + break + else + echo "Master not found, sleep for 30s before attempting again" + sleep 30 + fi done echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml index 145023a40..ff1ac70a9 100644 --- a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml @@ -271,4 +271,95 @@ metadata: namespace: data: - redis.conf: | \ No newline at end of file + redis.conf: | +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snapshot-create + namespace: +data: + snapshot-create.rego: | + package karavi.snapshot.create + + import data.karavi.common + + default allow := false + + allow { + count(permitted_roles) == count(input.request) + count(deny) == 0 + } + + # Deny if there are no roles found. + deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) + } + + # Deny if claimed roles has no match for the request. + deny[msg] { + count(permitted_roles) != count(input.request) + + unpermitted_requests := [req | + element := input.request[_] + + not permitted_roles[element.name] + + req := element + ] + + msg := sprintf( + "no roles in [%s] allow the %s Kb request on %s/%s/%s for %s", + [ + input.claims.roles, + unpermitted_requests[_].volumeSizeInKb, + input.systemtype, + input.storagesystemid, + unpermitted_requests[_].storagepool, + unpermitted_requests[_].name, + ], + ) + } + + # No OR in OPA, multiple rules are needed. + size_is_valid(a, b) { + to_number(a) >= to_number(b) + } + + # No OR in OPA, multiple rules are needed. + size_is_valid(a, _) { + to_number(a) == 0 + } + + # Create a list of permitted roles. + permitted_roles[snapshot] := roles { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # Iterate through the requests. + req := input.request[_] + + roles := [role | + sp := req.storagepool + size := req.volumeSizeInKb + + # Iterate through the roles in the request. + c_role := claimed_roles[_] + common.roles[c_role] + + system_ids := common.roles[c_role].system_types[input.systemtype].system_ids[input.storagesystemid] + pool_quota := system_ids.pool_quotas[sp] + + # Validate that the pool quota is valid. + size_is_valid(pool_quota, size) + + role := {"size": to_number(pool_quota), "storagepool": sp, "role": c_role} + ] + + # Ensure that the role list is not empty. + count(roles) != 0 + + # Set the snapshot name which creates an entry in the list. + snapshot := req.name + } diff --git a/pkg/modules/authorization.go b/pkg/modules/authorization.go index e8b6c7219..46df6c1a1 100644 --- a/pkg/modules/authorization.go +++ b/pkg/modules/authorization.go @@ -31,6 +31,7 @@ import ( "github.com/dell/csm-operator/pkg/logger" utils "github.com/dell/csm-operator/pkg/utils" "golang.org/x/mod/semver" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" @@ -632,6 +633,462 @@ func AuthorizationServerDeployment(ctx context.Context, isDeleting bool, op util return err } + err = applyDeleteAuthorizationStorageService(ctx, isDeleting, cr, ctrlClient) + if err != nil { + return err + } + + return nil +} + +// AuthorizationStorageService - apply/delete storage service deployment and volume objects +func applyDeleteAuthorizationStorageService(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + switch semver.Major(authModule.ConfigVersion) { + case "v2": + return authorizationStorageServiceV2(ctx, isDeleting, cr, ctrlClient) + case "v1": + return authorizationStorageServiceV1(ctx, isDeleting, cr, ctrlClient) + default: + return fmt.Errorf("authorization major version %s not supported", semver.Major(authModule.ConfigVersion)) + } +} + +func authorizationStorageServiceV1(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + // get component variables + image := "" + for _, component := range authModule.Components { + switch component.Name { + case AuthProxyServerComponent: + image = component.StorageService + } + } + + deployment := getStorageServiceScaffold(cr.Name, cr.Namespace, image, 1) + + // set karavi-storage-secret volume + deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{ + Name: "storage-volume", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "karavi-storage-secret", + }, + }, + }) + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "storage-volume", + MountPath: "/etc/karavi-authorization/storage", + }) + break + } + } + + deploymentBytes, err := json.Marshal(&deployment) + if err != nil { + return fmt.Errorf("marshalling storage-service deployment: %w", err) + } + + deploymentYaml, err := yaml.JSONToYAML(deploymentBytes) + if err != nil { + return fmt.Errorf("converting storage-service json to yaml: %w", err) + } + + return applyDeleteObjects(ctx, ctrlClient, string(deploymentYaml), isDeleting) +} + +func authorizationStorageServiceV2(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + err = applyDeleteVaultCertificates(ctx, isDeleting, cr, ctrlClient) + if err != nil { + return fmt.Errorf("applying/deleting vault certificates: %w", err) + } + + replicas := 0 + sentinels := "" + image := "" + vaultAddress := "" + vaultRole := "" + vaultKVEnginePath := "" + vaultSkipCertificateValidation := false + vaultCertificate := "" + vaultPrivateKey := "" + vaultCertificateAuthority := "" + leaderElection := true + for _, component := range authModule.Components { + switch component.Name { + case AuthProxyServerComponent: + replicas = component.StorageServiceReplicas + image = component.StorageService + leaderElection = component.LeaderElection + case AuthRedisComponent: + var sentinelValues []string + for i := 0; i < component.RedisReplicas; i++ { + sentinelValues = append(sentinelValues, fmt.Sprintf("sentinel-%d.sentinel.%s.svc.cluster.local:5000", i, cr.Namespace)) + } + sentinels = strings.Join(sentinelValues, ", ") + case AuthVaultComponent: + vaultAddress = component.VaultAddress + vaultRole = component.VaultRole + vaultKVEnginePath = component.KvEnginePath + vaultSkipCertificateValidation = component.SkipCertificateValidation + vaultCertificate = component.Certificate + vaultPrivateKey = component.PrivateKey + vaultCertificateAuthority = component.CertificateAuthority + default: + continue + } + } + + deployment := getStorageServiceScaffold(cr.Name, cr.Namespace, image, int32(replicas)) + + // set vault volumes + volume := corev1.Volume{ + Name: "vault-client-certificate", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{{}}, + }, + }, + } + + if vaultCertificateAuthority != "" { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "vault-certificate-authority", + }, + }, + }) + } + + if vaultCertificate != "" && vaultPrivateKey != "" { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "vault-client-certificate", + }, + }, + }) + } else { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "storage-service-selfsigned-tls", + }, + }, + }) + } + deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volume) + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "vault-client-certificate", + MountPath: "/etc/vault", + }) + break + } + } + + // set redis envs + redis := []corev1.EnvVar{ + { + Name: "SENTINELS", + Value: sentinels, + }, + { + Name: "REDIS_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "redis-csm-secret", + }, + Key: "password", + }, + }, + }, + } + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].Env = append(deployment.Spec.Template.Spec.Containers[i].Env, redis...) + break + } + } + + // set arguments + args := []string{ + "--redis-sentinel=$(SENTINELS)", + "--redis-password=$(REDIS_PASSWORD)", + fmt.Sprintf("--vault-address=%s", vaultAddress), + fmt.Sprintf("--vault-role=%s", vaultRole), + fmt.Sprintf("--vault-kv-engine-path=%s", vaultKVEnginePath), + fmt.Sprintf("--vault-skip-certificate-validation=%t", vaultSkipCertificateValidation), + fmt.Sprintf("--leader-election=%t", leaderElection), + } + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].Args = append(deployment.Spec.Template.Spec.Containers[i].Args, args...) + break + } + } + + deploymentBytes, err := json.Marshal(&deployment) + if err != nil { + return fmt.Errorf("marshalling storage-service deployment: %w", err) + } + + deploymentYaml, err := yaml.JSONToYAML(deploymentBytes) + if err != nil { + return fmt.Errorf("converting storage-service json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(deploymentYaml), isDeleting) + if err != nil { + return fmt.Errorf("applying storage-service deployment: %w", err) + } + return nil +} + +// getStorageServiceScaffold returns the storage-service deployment with the common elements between v1 and v2 +// callers must ensure that other elements specific for the version get set in the returned deployment +func getStorageServiceScaffold(name string, namespace string, image string, replicas int32) appsv1.Deployment { + return appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + Kind: "Deployment", + APIVersion: "apps/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "storage-service", + Namespace: namespace, + Labels: map[string]string{ + "app": "storage-service", + }, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "storage-service", + }, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "csm": name, + "app": "storage-service", + }, + }, + Spec: corev1.PodSpec{ + ServiceAccountName: "storage-service", + Containers: []corev1.Container{ + { + Name: "storage-service", + Image: image, + ImagePullPolicy: "Always", + Ports: []corev1.ContainerPort{ + { + ContainerPort: 50051, + Name: "grpc", + }, + }, + Env: []corev1.EnvVar{ + { + Name: "NAMESPACE", + Value: namespace, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "config-volume", + MountPath: "/etc/karavi-authorization/config", + }, + { + Name: "csm-config-params", + MountPath: "/etc/karavi-authorization/csm-config-params", + }, + }, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "config-volume", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "karavi-config-secret", + }, + }, + }, + { + Name: "csm-config-params", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "csm-config-params", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func applyDeleteVaultCertificates(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + // get vault certificate data from CR + vaultCertificate := "" + vaultPrivateKey := "" + vaultCertificateAuthority := "" + for _, component := range authModule.Components { + switch component.Name { + case AuthVaultComponent: + vaultCertificate = component.Certificate + vaultPrivateKey = component.PrivateKey + vaultCertificateAuthority = component.CertificateAuthority + default: + continue + } + } + + // apply/delete vault-certificate-authority secret if it was provided + if vaultCertificateAuthority != "" { + vaultCABytes, err := base64.StdEncoding.DecodeString(vaultCertificateAuthority) + if err != nil { + return fmt.Errorf("decoding vault certificate authority: %w", err) + } + + secret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-certificate-authority", + Namespace: cr.Namespace, + }, + Type: corev1.SecretTypeOpaque, + Data: map[string][]byte{ + "ca.crt": vaultCABytes, + }, + } + + secretBytes, err := json.Marshal(&secret) + if err != nil { + return fmt.Errorf("marshalling vault certificate authority secret: %w", err) + } + + yamlString, err := yaml.JSONToYAML(secretBytes) + if err != nil { + return fmt.Errorf("converting vault certificate authority json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(yamlString), isDeleting) + if err != nil { + return fmt.Errorf("applying vault certificate authority secret: %w", err) + } + } + + // apply/delete vault-client-certificate secret if it was provided + if vaultCertificate != "" && vaultPrivateKey != "" { + vaultCertBytes, err := base64.StdEncoding.DecodeString(vaultCertificate) + if err != nil { + return fmt.Errorf("decoding vault certificate: %w", err) + } + + vaultKeyBytes, err := base64.StdEncoding.DecodeString(vaultPrivateKey) + if err != nil { + return fmt.Errorf("decoding vault private key: %w", err) + } + + secret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-client-certificate", + Namespace: cr.Namespace, + }, + Type: corev1.SecretTypeTLS, + Data: map[string][]byte{ + "tls.crt": vaultCertBytes, + "tls.key": vaultKeyBytes, + }, + } + + secretBytes, err := json.Marshal(&secret) + if err != nil { + return fmt.Errorf("marshalling vault certificate secret: %w", err) + } + + yamlString, err := yaml.JSONToYAML(secretBytes) + if err != nil { + return fmt.Errorf("converting vault certificate json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(yamlString), isDeleting) + if err != nil { + return fmt.Errorf("applying vault certificate secret: %w", err) + } + return nil + } + + // apply/delete storage-service-selfsigned issuer and certificate + issuer := createSelfSignedIssuer(cr, "storage-service-selfsigned") + + issuerByes, err := json.Marshal(issuer) + if err != nil { + return fmt.Errorf("marshaling storage-service-selfsigned issuer: %v", err) + } + + issuerYaml, err := yaml.JSONToYAML(issuerByes) + if err != nil { + return fmt.Errorf("converting storage-service-selfsigned issuer json to yaml: %v", err) + } + + // create/delete issuer + err = applyDeleteObjects(ctx, ctrlClient, string(issuerYaml), isDeleting) + if err != nil { + return err + } + + certificate := createSelfSignedCertificate(cr, []string{fmt.Sprintf("storage-service.%s.svc.cluster.local", cr.Namespace)}, "storage-service-selfsigned", "storage-service-selfsigned-tls", "storage-service-selfsigned") + + certBytes, err := json.Marshal(certificate) + if err != nil { + return fmt.Errorf("marshaling storage-service-selfsigned certificate: %v", err) + } + + certYaml, err := yaml.JSONToYAML(certBytes) + if err != nil { + return fmt.Errorf("converting storage-service-selfsigned certificate json to yaml: %v", err) + } + + // create/delete certificate + err = applyDeleteObjects(ctx, ctrlClient, string(certYaml), isDeleting) + if err != nil { + return err + } return nil } @@ -764,30 +1221,18 @@ func getCerts(ctx context.Context, op utils.OperatorConfig, cr csmv1.ContainerSt if authCertificate != "" || authPrivateKey != "" { // use custom tls secret if authCertificate != "" && authPrivateKey != "" { - log.Infof("Provided Certificate %s, Key %s", authCertificate, authPrivateKey) + log.Infof("using user provided certificate and key for authorization") buf, err := readConfigFile(authModule, cr, op, AuthCustomCert) if err != nil { return false, YamlString, err } - certFile, err := os.ReadFile(filepath.Clean(authCertificate)) - if err != nil { - return false, "", fmt.Errorf("reading cert file: %v", err) - } - encodedAuthCert := base64.StdEncoding.EncodeToString(certFile) - - privateKeyFile, err := os.ReadFile(filepath.Clean(authPrivateKey)) - if err != nil { - return false, "", fmt.Errorf("reading private key file: %v", err) - } - encodedAuthPrivateKey := base64.StdEncoding.EncodeToString(privateKeyFile) - YamlString = string(buf) YamlString = strings.ReplaceAll(YamlString, AuthNamespace, authNamespace) - YamlString = strings.ReplaceAll(YamlString, AuthCert, encodedAuthCert) - YamlString = strings.ReplaceAll(YamlString, AuthPrivateKey, encodedAuthPrivateKey) + YamlString = strings.ReplaceAll(YamlString, AuthCert, authCertificate) + YamlString = strings.ReplaceAll(YamlString, AuthPrivateKey, authPrivateKey) } else { - return false, YamlString, fmt.Errorf("authorization install failed -- either cert or privatekey missing for custom cert") + return false, YamlString, fmt.Errorf("authorization install failed -- either certificate or private key missing for custom cert") } } else { // use self-signed cert @@ -806,7 +1251,7 @@ func InstallWithCerts(ctx context.Context, isDeleting bool, op utils.OperatorCon } if useSelfSignedCert { - issuer := createSelfSignedIssuer(cr) + issuer := createSelfSignedIssuer(cr, "selfsigned") issuerByes, err := json.Marshal(issuer) if err != nil { return fmt.Errorf("marshaling ingress: %v", err) @@ -823,11 +1268,13 @@ func InstallWithCerts(ctx context.Context, isDeleting bool, op utils.OperatorCon return err } - cert, err := createSelfSignedCertificate(cr) + hosts, err := getHosts(cr) if err != nil { return err } + cert := createSelfSignedCertificate(cr, hosts, "karavi-auth", "karavi-selfsigned-tls", "selfsigned") + certBytes, err := json.Marshal(cert) if err != nil { return fmt.Errorf("marshaling ingress: %v", err) @@ -876,6 +1323,16 @@ func getAuthCrdDeploy(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) // AuthCrdDeploy - apply and delete Auth crds deployment func AuthCrdDeploy(ctx context.Context, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + auth, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + // v1 does not have custom resources, so treat it like a no-op + if semver.Compare(auth.ConfigVersion, "v2.0.0-alpha") < 0 { + return nil + } + yamlString, err := getAuthCrdDeploy(op, cr) if err != nil { return err @@ -889,13 +1346,13 @@ func AuthCrdDeploy(ctx context.Context, op utils.OperatorConfig, cr csmv1.Contai return nil } -func createSelfSignedIssuer(cr csmv1.ContainerStorageModule) *certificate.Issuer { +func createSelfSignedIssuer(cr csmv1.ContainerStorageModule, name string) *certificate.Issuer { issuer := &certificate.Issuer{ TypeMeta: metav1.TypeMeta{ Kind: "Issuer", }, ObjectMeta: metav1.ObjectMeta{ - Name: "selfsigned", + Name: name, Namespace: cr.Namespace, }, Spec: certificate.IssuerSpec{ @@ -910,22 +1367,17 @@ func createSelfSignedIssuer(cr csmv1.ContainerStorageModule) *certificate.Issuer return issuer } -func createSelfSignedCertificate(cr csmv1.ContainerStorageModule) (*certificate.Certificate, error) { - hosts, err := getHosts(cr) - if err != nil { - return nil, fmt.Errorf("getting hosts: %v", err) - } - +func createSelfSignedCertificate(cr csmv1.ContainerStorageModule, hosts []string, name string, secretName string, issuerName string) *certificate.Certificate { certificate := &certificate.Certificate{ TypeMeta: metav1.TypeMeta{ Kind: "Certificate", }, ObjectMeta: metav1.ObjectMeta{ - Name: "karavi-auth", + Name: name, Namespace: cr.Namespace, }, Spec: certificate.CertificateSpec{ - SecretName: "karavi-selfsigned-tls", + SecretName: secretName, Duration: &metav1.Duration{ Duration: duration, // 90d }, @@ -947,14 +1399,14 @@ func createSelfSignedCertificate(cr csmv1.ContainerStorageModule) (*certificate. }, DNSNames: hosts, IssuerRef: cmmetav1.ObjectReference{ - Name: "selfsigned", + Name: issuerName, Kind: "Issuer", Group: "cert-manager.io", }, }, } - return certificate, nil + return certificate } func createIngress(cr csmv1.ContainerStorageModule) (*networking.Ingress, error) { diff --git a/pkg/modules/authorization_test.go b/pkg/modules/authorization_test.go index 43d4b27d7..00dd62fc6 100644 --- a/pkg/modules/authorization_test.go +++ b/pkg/modules/authorization_test.go @@ -10,7 +10,7 @@ package modules import ( "context" - "os" + "fmt" "testing" csmv1 "github.com/dell/csm-operator/api/v1" @@ -615,6 +615,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { }, } + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(cm).Build() return true, true, tmpCR, sourceClient, operatorConfig @@ -626,7 +627,31 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return true, false, tmpCR, sourceClient, operatorConfig + }, + "success - creating with vault client certificates": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_vault_cert.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, false, tmpCR, sourceClient, operatorConfig + }, + "success - creating v1": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return true, false, tmpCR, sourceClient, operatorConfig @@ -638,7 +663,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource - + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return true, false, tmpCR, sourceClient, operatorConfig @@ -650,7 +675,43 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault ca": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_ca.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault client cert": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_cert.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault client key": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_key.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return false, false, tmpCR, sourceClient, operatorConfig @@ -664,6 +725,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { if success { assert.NoError(t, err) } else { + fmt.Println(err) assert.Error(t, err) } }) @@ -741,6 +803,56 @@ func TestAuthorizationIngress(t *testing.T) { return true, true, tmpCR, sourceClient }, + "success - creating with certs": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_certs.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + namespace := customResource.Namespace + name := namespace + "-ingress-nginx-controller" + + dp := &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app.kubernetes.io/name": "ingress-nginx"}, + }, + }, + } + + pod := &corev1.Pod{ + TypeMeta: metav1.TypeMeta{ + Kind: "Pod", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + } + + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(dp, pod).Build() + + return true, true, tmpCR, sourceClient + }, + "success - creating with openshift and other annotations": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_openshift.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, true, tmpCR, sourceClient + }, "success - creating v1.10.0": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") if err != nil { @@ -988,9 +1100,6 @@ func TestAuthorizationCertificates(t *testing.T) { return true, true, tmpCR, sourceClient, operatorConfig }, "success - using custom tls secret": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { - os.WriteFile("foo", []byte("foo"), 0o400) - os.WriteFile("bar", []byte("bar"), 0o400) - customResource, err := getCustomResource("./testdata/cr_auth_proxy_certs.yaml") if err != nil { panic(err) @@ -1026,9 +1135,6 @@ func TestAuthorizationCertificates(t *testing.T) { } else { assert.Error(t, err) } - - os.Remove("foo") - os.Remove("bar") }) } } @@ -1067,6 +1173,18 @@ func TestAuthorizationCrdDeploy(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return true, tmpCR, sourceClient, operatorConfig }, + "success - creating v1": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + + apiextv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return true, tmpCR, sourceClient, operatorConfig + }, "fail - auth deployment file bad yaml": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") if err != nil { diff --git a/pkg/modules/testdata/cr_auth_proxy.yaml b/pkg/modules/testdata/cr_auth_proxy.yaml index 0dc1ebf59..9eb85dc82 100644 --- a/pkg/modules/testdata/cr_auth_proxy.yaml +++ b/pkg/modules/testdata/cr_auth_proxy.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" @@ -92,6 +92,18 @@ spec: vaultRole: csm-authorization skipCertificateValidation: true kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml new file mode 100644 index 000000000..388dd258a --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml @@ -0,0 +1,117 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + # For OpenShift Container Platform only + # enabled: Enable/Disable OpenShift Ingress Controller + # Allowed values: + # true: enable use of OpenShift Ingress Controller + # false: disable use of OpenShift Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: false + openshift: false + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "XXXXXaGVsbG8=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml new file mode 100644 index 000000000..35b4c5860 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml @@ -0,0 +1,117 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + # For OpenShift Container Platform only + # enabled: Enable/Disable OpenShift Ingress Controller + # Allowed values: + # true: enable use of OpenShift Ingress Controller + # false: disable use of OpenShift Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: false + openshift: false + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "XXXXXaGVsbG8=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml new file mode 100644 index 000000000..9d5b23287 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml @@ -0,0 +1,117 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + # For OpenShift Container Platform only + # enabled: Enable/Disable OpenShift Ingress Controller + # Allowed values: + # true: enable use of OpenShift Ingress Controller + # false: disable use of OpenShift Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: false + openshift: false + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "XXXXXaGVsbG8=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_certs.yaml b/pkg/modules/testdata/cr_auth_proxy_certs.yaml index 705fb4fd3..4be9d037b 100644 --- a/pkg/modules/testdata/cr_auth_proxy_certs.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_certs.yaml @@ -48,15 +48,15 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string - certificate: "foo" + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCVENDQXUyZ0F3SUJBZ0lVVThsYncza09ITk5QSXppRitJb3NUT3pSZVZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2daRXhDekFKQmdOVkJBWVRBbFZUTVJFd0R3WURWUVFJREFoT1pYY2dXVzl5YXpFUk1BOEdBMVVFQnd3SQpUbVYzSUZsdmNtc3hEVEFMQmdOVkJBb01CRVJsYkd3eEREQUtCZ05WQkFzTUEwbFRSekVZTUJZR0ExVUVBd3dQClNtOXZjMlZ3Y0drSUNBZ0lDQWdJTVNVd0l3WUpLb1pJaHZjTkFRa0JGaFpxYjI5elpYQndhVjlzZFc1aFFHUmwKYkd3dVkyOXRNQjRYRFRJME1ESXlNVEU0TWpRME1sb1hEVEkwTURVeU1URTRNalEwTWxvd2daRXhDekFKQmdOVgpCQVlUQWxWVE1SRXdEd1lEVlFRSURBaE9aWGNnV1c5eWF6RVJNQThHQTFVRUJ3d0lUbVYzSUZsdmNtc3hEVEFMCkJnTlZCQW9NQkVSbGJHd3hEREFLQmdOVkJBc01BMGxUUnpFWU1CWUdBMVVFQXd3UFNtOXZjMlZ3Y0drSUNBZ0kKQ0FnSU1TVXdJd1lKS29aSWh2Y05BUWtCRmhacWIyOXpaWEJ3YVY5c2RXNWhRR1JsYkd3dVkyOXRNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5SXhkZ04wNDdnZk41T0h3SHFhMjlHNWd3dDkzCmVidnEwZVdnZE5RWXUvUU91YktoQ3JWYUN6QXBzTGhRcnlhOEM4OWtTM3VmRHNLM3o3aHJIRXhnblc4ZzdGL1cKTjVpaXYzcU9GcDk2ZVc4VFR5UHJhVktKV3psay9xSWhWdkhGVGxTbk5jcmJTZW45RkhxZmR4RnA3ejNVSXdtVQprZk8vTTQ1RHkrcDU2cmdqOW4vSTYvVmtpMWVxalBIN1dZTnZJQXJNa0pvZTBhSFlVSTdqa3dEZ1N6ZE1jMnM3ClI5NWxQTFY1MDgxdFNCWTJtNno0VGt1dktQdG1RZ1pML3JKL2lHUTBLVTkyYmRFUC9USDVSeEkyRHZ2U3BQSzUKUkhzTEhPVDdUZWV5NGJXU1VQemJTRzBRQUE0b1JyNTV2M1VYbmlmMExwNEQ0OU5xcHRSK0VzZkx2d0lEQVFBQgpvMU13VVRBZEJnTlZIUTRFRmdRVVlZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dId1lEVlIwakJCZ3dGb0FVCllZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBS2dWUjRvQjhlb0hNWTZ2Tm9WUERJd29NU3d2eGUyWnVDN0N0bkRvRUJjUzlrQU12TURqRwpzeFN2b0o2TXlXckpNaUt4aDJmekdGcS9FVWxDcHdKUEwvNTlTYmR3cG54UUxGWjdyZkVjMS9WQ3dOUHcxM0pEClBnZmsvZnd6QVNEcS9mWm5pTmVldHpCa2dQdEdMWDFsU051OHFNSUZHczR0QlpZZS8xNnJ4VFFpMzRsUk56QVUKMlA2YTM3YjhWVU9yRUNhTTlOdUFaY3FWSjRiODhvNXBQSkRldm5Hb3JPOHRMQWhvT3kyclB5QnJKaVhNQ0ZKMAo4TzVQS1NrSlJyQ2x1enBPeEtxUURONTlmVDdYNEp6VzI3MVhqQlIzWVdJTUdha08rSnRUdEwyUDNBWXdtd2E1CnNibUV0UU5rSjNraDhneVNVL2p4WnQrVWVUVWRJYWxDV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string - privateKey: "bar" + privateKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeUl4ZGdOMDQ3Z2ZONU9Id0hxYTI5RzVnd3Q5M2VidnEwZVdnZE5RWXUvUU91YktoCkNyVmFDekFwc0xoUXJ5YThDODlrUzN1ZkRzSzN6N2hySEV4Z25XOGc3Ri9XTjVpaXYzcU9GcDk2ZVc4VFR5UHIKYVZLSld6bGsvcUloVnZIRlRsU25OY3JiU2VuOUZIcWZkeEZwN3ozVUl3bVVrZk8vTTQ1RHkrcDU2cmdqOW4vSQo2L1ZraTFlcWpQSDdXWU52SUFyTWtKb2UwYUhZVUk3amt3RGdTemRNYzJzN1I5NWxQTFY1MDgxdFNCWTJtNno0ClRrdXZLUHRtUWdaTC9ySi9pR1EwS1U5MmJkRVAvVEg1UnhJMkR2dlNwUEs1UkhzTEhPVDdUZWV5NGJXU1VQemIKU0cwUUFBNG9ScjU1djNVWG5pZjBMcDRENDlOcXB0UitFc2ZMdndJREFRQUJBb0lCQUUva2V5dG05ZEw5a094cApoYnJ3TjFwUXpvTlRlc2tvTDNmR3ZwRk1IVDVqRDZxeW1xMGxhZVdqSGppa2RLQVNFait5TXdaUERTSllOOW1zClloODMzaFZadkFmdWRleFlCaDI1dVBrU056eEJIN1FiWHlEcUhJWVc2MEQxWGNyQkxoVHliRnBsb2M1a1JNbnYKdjY4elpMeEdLVWg3L0kvWVJvZEhXWUxXdWhMaTYvVGpKMGNJbWlOVWxMeWhXNHJrUXRveUZmelYvWkZpZGYvWApSYjQwRHRCRk1QbytVdFRBbnJuTlF3UDN2cEF5U09OV2U3MW45dS9XdFlwYzVNeDJGaGZFbm5PcTlZcVNEMVNQCm5hUC9OUndOQ2xOY1BleWZaSU84SytWT3MvbFpBOGErMXREWTZzOFVOTHBvcm42YkRWdEsweU4rTU9YK1FLaXEKTG9KeDZtRUNnWUVBNlU3ZU96OEcybG9wd245ald6YXBobG5TU2RFTHZobS95cllNMy9TN2puTkRYNkd3TkRlKwpFQTFINUs1UDRLNnlleFMvZEllaWo4bDhiRytVb0V3Rm9pOVIxaTdGR21DL1p6WTRpa2IyQXI0MU8yV29kVk9UCkRjNnBjdmlkWnp5ZjJWaGlTMFNLZ3ZodDdzSTlQcjFyZWlyNW9TYXBuUC9hUFhCTkl3dDh3V01DZ1lFQTNBM1AKODNrOUlPdjNNUWhiL1JiUDVBRWZYaW85U0hJNW1oekFLankxY2M1WDdadjI2SmpIc21RNGQrb0s0UjljMGFIWApETDFBRlYrWTkyRTU4ZVE1SXJhQ3JTQVAwYk45bENqLzdEMDFrT2ZnTis5QXJzVy8yc0tFcFRtZENtc3ZGb1JuClNOUzBNYmpDdmQxOEtYdWNFYmdoZzZTcjZwaGN2QWVoaGtpcjZQVUNnWUVBcFl0bXVKZENINUUyYkdIRGVDZFQKSnBkNVZSTlZ4Nit4blA2TUtDVVpLRHkxSTVndzFQeHdpaWRDU2dzOWRtbS9Ed0pyengybXhXdnNNMjBCQXJTdQprcVFNNTNNTVBHbEZwdENjVWRHRUlmSWhCMkpjbzlPSFZwYTdPVzhiRVBPOVlKVU1PZWdLZUdBYWNQMjJRMXhZCmRMa2xvNmt4Vk10ZWFaWFR4ZmdTcjQwQ2dZRUF3K2lnSEZqeHJSK213TVo2YndZaUt4RTh4ZTdCQklCOCs5RmcKMjdtVXFDOVdaTG9YeGRoTzRXa01ST1hlcmJIb1J0SFl6UVNueXQrREphb3Zsa1RqQVI2UGxHWVk3MDduSEVLcwpKYndRdG1OWllUTGwyVE5BclJmRVUvekk3UCtqdWw1Q1BicndlZHZOdEk4OC9RbUpWdFVoTVR3bnVnSFBmYThsCmhKR3FTd2tDZ1lFQW1UKzJQY1VIdVZuYXU1ZjVYMXZPaVI1aGtyNEZYUFhwZVVRZDVyMFZZazBsb01Yc3FQVGsKc0lZN0lmSUlRZ01xbFNnUVhMeVBpbjJPWEN1ZnBKTlVDRlJRamtMV2ZCZW1QbEh6N2hjNURvVHJEU1doOUtETApNak9HL3d4ckRwZGlvRnZmcVA3bldIeGk3UzAxNXpHNHhtbkg2WUZ1TThuaHpyU3NSQzhzV20wPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==" # proxy-server ingress will use this hostname # NOTE: an additional hostname can be configured in proxyServerIngress.hosts diff --git a/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml b/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml index 1d66858a2..93774b2cd 100644 --- a/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string - certificate: "foo" + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCVENDQXUyZ0F3SUJBZ0lVVThsYncza09ITk5QSXppRitJb3NUT3pSZVZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2daRXhDekFKQmdOVkJBWVRBbFZUTVJFd0R3WURWUVFJREFoT1pYY2dXVzl5YXpFUk1BOEdBMVVFQnd3SQpUbVYzSUZsdmNtc3hEVEFMQmdOVkJBb01CRVJsYkd3eEREQUtCZ05WQkFzTUEwbFRSekVZTUJZR0ExVUVBd3dQClNtOXZjMlZ3Y0drSUNBZ0lDQWdJTVNVd0l3WUpLb1pJaHZjTkFRa0JGaFpxYjI5elpYQndhVjlzZFc1aFFHUmwKYkd3dVkyOXRNQjRYRFRJME1ESXlNVEU0TWpRME1sb1hEVEkwTURVeU1URTRNalEwTWxvd2daRXhDekFKQmdOVgpCQVlUQWxWVE1SRXdEd1lEVlFRSURBaE9aWGNnV1c5eWF6RVJNQThHQTFVRUJ3d0lUbVYzSUZsdmNtc3hEVEFMCkJnTlZCQW9NQkVSbGJHd3hEREFLQmdOVkJBc01BMGxUUnpFWU1CWUdBMVVFQXd3UFNtOXZjMlZ3Y0drSUNBZ0kKQ0FnSU1TVXdJd1lKS29aSWh2Y05BUWtCRmhacWIyOXpaWEJ3YVY5c2RXNWhRR1JsYkd3dVkyOXRNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5SXhkZ04wNDdnZk41T0h3SHFhMjlHNWd3dDkzCmVidnEwZVdnZE5RWXUvUU91YktoQ3JWYUN6QXBzTGhRcnlhOEM4OWtTM3VmRHNLM3o3aHJIRXhnblc4ZzdGL1cKTjVpaXYzcU9GcDk2ZVc4VFR5UHJhVktKV3psay9xSWhWdkhGVGxTbk5jcmJTZW45RkhxZmR4RnA3ejNVSXdtVQprZk8vTTQ1RHkrcDU2cmdqOW4vSTYvVmtpMWVxalBIN1dZTnZJQXJNa0pvZTBhSFlVSTdqa3dEZ1N6ZE1jMnM3ClI5NWxQTFY1MDgxdFNCWTJtNno0VGt1dktQdG1RZ1pML3JKL2lHUTBLVTkyYmRFUC9USDVSeEkyRHZ2U3BQSzUKUkhzTEhPVDdUZWV5NGJXU1VQemJTRzBRQUE0b1JyNTV2M1VYbmlmMExwNEQ0OU5xcHRSK0VzZkx2d0lEQVFBQgpvMU13VVRBZEJnTlZIUTRFRmdRVVlZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dId1lEVlIwakJCZ3dGb0FVCllZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBS2dWUjRvQjhlb0hNWTZ2Tm9WUERJd29NU3d2eGUyWnVDN0N0bkRvRUJjUzlrQU12TURqRwpzeFN2b0o2TXlXckpNaUt4aDJmekdGcS9FVWxDcHdKUEwvNTlTYmR3cG54UUxGWjdyZkVjMS9WQ3dOUHcxM0pEClBnZmsvZnd6QVNEcS9mWm5pTmVldHpCa2dQdEdMWDFsU051OHFNSUZHczR0QlpZZS8xNnJ4VFFpMzRsUk56QVUKMlA2YTM3YjhWVU9yRUNhTTlOdUFaY3FWSjRiODhvNXBQSkRldm5Hb3JPOHRMQWhvT3kyclB5QnJKaVhNQ0ZKMAo4TzVQS1NrSlJyQ2x1enBPeEtxUURONTlmVDdYNEp6VzI3MVhqQlIzWVdJTUdha08rSnRUdEwyUDNBWXdtd2E1CnNibUV0UU5rSjNraDhneVNVL2p4WnQrVWVUVWRJYWxDV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml index 4be42b2cf..3554342de 100644 --- a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/pkg/modules/testdata/cr_auth_proxy_openshift.yaml b/pkg/modules/testdata/cr_auth_proxy_openshift.yaml new file mode 100644 index 000000000..0055e587f --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_openshift.yaml @@ -0,0 +1,118 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + # For OpenShift Container Platform only + # enabled: Enable/Disable OpenShift Ingress Controller + # Allowed values: + # true: enable use of OpenShift Ingress Controller + # false: disable use of OpenShift Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: false + openshift: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: + "label": "value" + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_v1100.yaml b/pkg/modules/testdata/cr_auth_proxy_v1100.yaml index 5a53249de..2a975b93e 100644 --- a/pkg/modules/testdata/cr_auth_proxy_v1100.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_v1100.yaml @@ -49,12 +49,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/pkg/modules/testdata/cr_auth_proxy_v190.yaml b/pkg/modules/testdata/cr_auth_proxy_v190.yaml index 27d40efe4..60da1ba27 100644 --- a/pkg/modules/testdata/cr_auth_proxy_v190.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_v190.yaml @@ -40,12 +40,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml b/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml new file mode 100644 index 000000000..da93144c6 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml @@ -0,0 +1,117 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + # For OpenShift Container Platform only + # enabled: Enable/Disable OpenShift Ingress Controller + # Allowed values: + # true: enable use of OpenShift Ingress Controller + # false: disable use of OpenShift Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: false + openshift: false + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/samples/authorization/csm_authorization_proxy_server_v1100.yaml b/samples/authorization/csm_authorization_proxy_server_v1100.yaml index a1ffca4be..a1cb269c6 100644 --- a/samples/authorization/csm_authorization_proxy_server_v1100.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v1100.yaml @@ -40,12 +40,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/samples/authorization/csm_authorization_proxy_server_v190.yaml b/samples/authorization/csm_authorization_proxy_server_v190.yaml index fc3fd90b5..172dfe224 100644 --- a/samples/authorization/csm_authorization_proxy_server_v190.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v190.yaml @@ -40,12 +40,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/samples/authorization/csm_authorization_proxy_server_v191.yaml b/samples/authorization/csm_authorization_proxy_server_v191.yaml index dfd59054b..97c6fea25 100644 --- a/samples/authorization/csm_authorization_proxy_server_v191.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v191.yaml @@ -40,12 +40,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml index 222af4093..4e1b10572 100644 --- a/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml @@ -55,12 +55,12 @@ spec: authorizationControllerReplicas: 1 leaderElection: true - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" @@ -88,17 +88,24 @@ spec: redisCommander: redicommander sentinel: sentinel redisReplicas: 5 - # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis - # to use a different storage class for redis, specify the name of the storage class - # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization - # Default value: None - storageclass: "" - name: vault vaultAddress: https://10.0.0.1:8400 vaultRole: csm-authorization skipCertificateValidation: true kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml index 12b07526c..db8835322 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml index aeddfc809..73757a80b 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml index 4be42b2cf..3554342de 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_ocp.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_ocp.yaml index 320a4ae7a..e2a37e8cd 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_ocp.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_ocp.yaml @@ -48,12 +48,12 @@ spec: opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - # certificate: path to certificate file -- add cert here to use custom certificates + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string certificate: "" - # privateKey: path to private key file -- add private key here to use custom certificates + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates # for self-signed certs, leave empty string # Allowed values: string privateKey: "" diff --git a/tests/e2e/testfiles/values.yaml b/tests/e2e/testfiles/values.yaml index dde67c2ba..caf2280c7 100644 --- a/tests/e2e/testfiles/values.yaml +++ b/tests/e2e/testfiles/values.yaml @@ -29,6 +29,19 @@ - "Validate [storages] CRD for Authorization is installed" - "Delete Authorization CRDs [1]" +- scenario: "Install Authorization CRDs" + paths: + - "testfiles/authorization-templates/csm_authorization_crds.yaml" + modules: + - "authorizationproxyserver" + steps: + - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [1]" + - "Validate [csmroles] CRD for Authorization is installed" + - "Validate [csmtenants] CRD for Authorization is installed" + - "Validate [storages] CRD for Authorization is installed" + - "Delete Authorization CRDs [1]" + - scenario: "Install Authorization Proxy Server With Default Redis Storage Class" paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml"