diff --git a/Makefile b/Makefile index c7a1f807c..452c133e4 100644 --- a/Makefile +++ b/Makefile @@ -20,8 +20,6 @@ endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) -# Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.25 @@ -59,10 +57,10 @@ help: ## Display this help. ##@ Development manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" + $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." #Generate semver.mk gen-semver: generate @@ -127,10 +125,24 @@ deploy: static-manager ## Deploy controller to the K8s cluster specified in ~/.k undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - +##@ Build Dependencies -CONTROLLER_GEN = $(shell pwd)/bin/controller-gen -controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,v0.6.1) +## Location to install dependencies to +LOCALBIN ?= $(shell pwd)/bin +$(LOCALBIN): + mkdir -p $(LOCALBIN) + +## Tool Binaries +CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen + +## Tool Versions +CONTROLLER_TOOLS_VERSION ?= v0.15.0 + +.PHONY: controller-gen +controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. +$(CONTROLLER_GEN): $(LOCALBIN) + test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ + GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) KUSTOMIZE = $(shell pwd)/bin/kustomize kustomize: ## Download kustomize locally if necessary. diff --git a/api/v1/types.go b/api/v1/types.go index 679d0070e..f142f9c7a 100644 --- a/api/v1/types.go +++ b/api/v1/types.go @@ -1,4 +1,4 @@ -// Copyright © 2021 - 2022 Dell Inc. or its subsidiaries. All Rights Reserved. +// Copyright © 2021 - 2024 Dell Inc. or its subsidiaries. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -31,11 +31,6 @@ type DriverType string // ModuleType - type representing the type of the modules. e.g. - authorization, podmon type ModuleType string -// CSMComponentType - type constraint for DriverType and ModuleType -type CSMComponentType interface { - ModuleType | DriverType -} - // ObservabilityComponentType - type representing the type of components inside observability module. e.g. - topology type ObservabilityComponentType string @@ -320,18 +315,50 @@ type ContainerTemplate struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Service Container Image" ProxyService string `json:"proxyService,omitempty" yaml:"proxyService,omitempty"` + // ProxyServiceReplicas is the number of replicas for the proxy service deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Proxy Service Replicas" + ProxyServiceReplicas int `json:"proxyServiceReplicas,omitempty" yaml:"proxyServiceReplicas,omitempty"` + // TenantService is the image tag for the Container // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Tenant Service Container Image" TenantService string `json:"tenantService,omitempty" yaml:"tenantService,omitempty"` + // TenantServiceReplicas is the number of replicas for the tenant service deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant Service Replicas" + TenantServiceReplicas int `json:"tenantServiceReplicas,omitempty" yaml:"tenantServiceReplicas,omitempty"` + // RoleService is the image tag for the Container // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Role Service Container Image" RoleService string `json:"roleService,omitempty" yaml:"roleService,omitempty"` + // RoleServiceReplicas is the number of replicas for the role service deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Role Service Replicas" + RoleServiceReplicas int `json:"roleServiceReplicas,omitempty" yaml:"roleServiceReplicas,omitempty"` + // StorageService is the image tag for the Container // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Storage Service Container Image" StorageService string `json:"storageService,omitempty" yaml:"storageService,omitempty"` + // StorageServiceReplicas is the number of replicas for storage service deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Storage Service Replicas" + StorageServiceReplicas int `json:"storageServiceReplicas,omitempty" yaml:"storageServiceReplicas,omitempty"` + + // AuthorizationController is the image tag for the container + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Controller Container Image" + AuthorizationController string `json:"authorizationController,omitempty" yaml:"authorizationController,omitempty"` + + // AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Controller Replicas" + AuthorizationControllerReplicas int `json:"authorizationControllerReplicas,omitempty" yaml:"authorizationControllerReplicas,omitempty"` + + // LeaderElection is boolean flag to enable leader election + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Leader Election" + LeaderElection bool `json:"leaderElection,omitempty" yaml:"leaderElection,omitempty"` + + // The interval which the reconcile of each controller is run + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Controller Reconcile Interval" + ControllerReconcileInterval string `json:"controllerReconcileInterval,omitempty" yaml:"controllerReconcileInterval,omitempty"` + // Redis is the image tag for the Container // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Redis Container Image" Redis string `json:"redis,omitempty" yaml:"redis,omitempty"` @@ -348,6 +375,50 @@ type ContainerTemplate struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Opa Kube Management Container Image" OpaKubeMgmt string `json:"opaKubeMgmt,omitempty" yaml:"opaKubeMgmt,omitempty"` + // Hostname is the authorization proxy server hostname + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Hostname" + Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty"` + + // ProxyServerIngress is the authorization proxy server ingress configuration + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server ingress configuration" + ProxyServerIngress []ProxyServerIngress `json:"proxyServerIngress,omitempty" yaml:"proxyServerIngress,omitempty"` + + // RedisStorageClass is the authorization proxy server redis storage class for persistence + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Redis storage class" + RedisStorageClass string `json:"storageclass,omitempty" yaml:"storageclass,omitempty"` + + // VaultAddress is the address of the vault + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Address" + VaultAddress string `json:"vaultAddress,omitempty" yaml:"vaultAddress,omitempty"` + + // VaultRole is the role for the vault + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Role" + VaultRole string `json:"vaultRole,omitempty" yaml:"vaultRole,omitempty"` + + // skipCertificateValidation is the flag to skip certificate validation + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Skip Certificate Validation" + SkipCertificateValidation bool `json:"skipCertificateValidation,omitempty" yaml:"skipCertificateValidation,omitempty"` + + // kvEnginePath is the Authorization vault secret path + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization KV Engine Path" + KvEnginePath string `json:"kvEnginePath,omitempty" yaml:"kvEnginePath,omitempty"` + + // RedisName is the name of the redis statefulset + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis StatefulSet Name" + RedisName string `json:"redisName,omitempty" yaml:"redisName,omitempty"` + + // RedisCommander is the name of the redis deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Name" + RedisCommander string `json:"redisCommander,omitempty" yaml:"redisCommander,omitempty"` + + // RedisReplicas is the number of replicas for the redis deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Replicas" + RedisReplicas int `json:"redisReplicas,omitempty" yaml:"redisReplicas,omitempty"` + + // Sentinel is the name of the sentinel statefulSet + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Sentinel StatefulSet Name" + Sentinel string `json:"sentinel,omitempty" yaml:"sentinel,omitempty"` + // ReplicaCount is the replica count for app mobility // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Application Mobility Replica Count" ReplicaCount string `json:"replicaCount,omitempty" yaml:"replicaCount,omitempty"` @@ -383,6 +454,10 @@ type ContainerTemplate struct { // PrivateKey is a private key used for a certificate/private-key pair // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Private key for certificate/private-key pair" PrivateKey string `json:"privateKey,omitempty" yaml:"privateKey,omitempty"` + + // CertificateAuthority is a certificate authority used to validate a certificate + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Certificate authority for validating a certificate" + CertificateAuthority string `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"` } // SnapshotClass struct @@ -396,6 +471,21 @@ type SnapshotClass struct { Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters"` } +// ProxyServerIngress is the authorization ingress configuration struct +type ProxyServerIngress struct { + // IngressClassName is the ingressClassName + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Ingress Class Name" + IngressClassName string `json:"ingressClassName,omitempty" yaml:"ingressClassName,omitempty"` + + // Hosts is the hosts rules for the ingress + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Hosts" + Hosts []string `json:"hosts,omitempty" yaml:"hosts,omitempty"` + + // Annotations is an unstructured key value map that stores additional annotations for the ingress + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Annotations" + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` +} + // CSIDriverSpec struct type CSIDriverSpec struct { FSGroupPolicy string `json:"fSGroupPolicy,omitempty" yaml:"fSGroupPolicy,omitempty"` diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index c74d19ac2..639a6d3ed 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2021. @@ -295,6 +294,13 @@ func (in *ContainerTemplate) DeepCopyInto(out *ContainerTemplate) { (*out)[key] = val } } + if in.ProxyServerIngress != nil { + in, out := &in.ProxyServerIngress, &out.ProxyServerIngress + *out = make([]ProxyServerIngress, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.ComponentCred != nil { in, out := &in.ComponentCred, &out.ComponentCred *out = make([]Credential, len(*in)) @@ -427,6 +433,33 @@ func (in *PodStatus) DeepCopy() *PodStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyServerIngress) DeepCopyInto(out *ProxyServerIngress) { + *out = *in + if in.Hosts != nil { + in, out := &in.Hosts, &out.Hosts + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyServerIngress. +func (in *ProxyServerIngress) DeepCopy() *ProxyServerIngress { + if in == nil { + return nil + } + out := new(ProxyServerIngress) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SnapshotClass) DeepCopyInto(out *SnapshotClass) { *out = *in diff --git a/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml b/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml index 202345c9d..805baca01 100644 --- a/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml +++ b/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: apexconnectivityclients.storage.dell.com spec: group: storage.dell.com @@ -41,14 +39,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -67,13 +70,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -123,16 +142,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables - in the container and any service environment variables. - If a variable cannot be resolved, the reference in - the input string will be unchanged. Double $$ are - reduced to a single $, which allows for escaping the - $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -145,10 +164,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or @@ -157,12 +176,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -175,12 +193,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -200,6 +217,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -209,10 +227,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its @@ -221,11 +239,15 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string @@ -233,6 +255,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -242,9 +272,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -260,64 +290,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -325,6 +412,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -356,13 +449,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -412,17 +521,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -435,10 +543,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -447,12 +555,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -465,12 +572,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -490,6 +596,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -499,10 +606,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -511,11 +618,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -523,6 +635,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -533,9 +653,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -551,65 +671,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If - the key is empty, operator must be Exists; this - combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -617,6 +793,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -633,13 +815,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -689,17 +887,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -712,10 +909,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -724,12 +921,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -742,12 +938,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -767,6 +962,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -776,10 +972,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -788,11 +984,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -800,6 +1001,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -810,9 +1019,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -828,65 +1037,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If - the key is empty, operator must be Exists; this - combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -894,6 +1159,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -929,9 +1200,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/storage.dell.com_containerstoragemodules.yaml b/config/crd/bases/storage.dell.com_containerstoragemodules.yaml index c12a53b05..a6fe0d00f 100644 --- a/config/crd/bases/storage.dell.com_containerstoragemodules.yaml +++ b/config/crd/bases/storage.dell.com_containerstoragemodules.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: containerstoragemodules.storage.dell.com spec: group: storage.dell.com @@ -41,14 +39,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -71,13 +74,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -127,16 +146,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables - in the container and any service environment variables. - If a variable cannot be resolved, the reference in - the input string will be unchanged. Double $$ are - reduced to a single $, which allows for escaping the - $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -149,10 +168,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or @@ -161,12 +180,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -179,12 +197,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -204,6 +221,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -213,10 +231,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its @@ -225,11 +243,15 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string @@ -237,6 +259,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -246,9 +276,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -264,64 +294,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -329,6 +416,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -347,13 +440,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -403,16 +512,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables - in the container and any service environment variables. - If a variable cannot be resolved, the reference in - the input string will be unchanged. Double $$ are - reduced to a single $, which allows for escaping the - $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -425,10 +534,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or @@ -437,12 +546,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -455,12 +563,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -480,6 +587,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -489,10 +597,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its @@ -501,11 +609,15 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string @@ -513,6 +625,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -522,9 +642,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -540,64 +660,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -605,6 +782,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -644,13 +827,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -700,17 +899,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -723,10 +921,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -735,12 +933,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -753,12 +950,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -778,6 +974,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -787,10 +984,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -799,11 +996,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -811,6 +1013,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -821,9 +1031,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -839,65 +1049,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If - the key is empty, operator must be Exists; this - combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -905,6 +1171,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -919,13 +1191,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -975,16 +1263,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables - in the container and any service environment variables. - If a variable cannot be resolved, the reference in - the input string will be unchanged. Double $$ are - reduced to a single $, which allows for escaping the - $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -997,10 +1285,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or @@ -1009,12 +1297,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1027,12 +1314,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -1052,6 +1338,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1061,10 +1348,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its @@ -1073,11 +1360,15 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string @@ -1085,6 +1376,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1094,9 +1393,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -1112,64 +1411,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1177,6 +1533,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1197,13 +1559,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for + the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each controller + is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -1253,17 +1631,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -1276,10 +1653,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -1288,12 +1665,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1306,12 +1682,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -1331,6 +1706,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1340,10 +1716,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -1352,11 +1728,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -1364,6 +1745,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader + election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -1374,9 +1763,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret @@ -1392,65 +1781,121 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress + configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value + map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip + certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If - the key is empty, operator must be Exists; this - combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1458,6 +1903,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1501,13 +1952,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag + for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each + controller is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -1557,17 +2024,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -1580,10 +2046,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -1592,12 +2058,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1610,12 +2075,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -1636,6 +2100,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1645,10 +2110,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret @@ -1657,11 +2122,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -1669,6 +2139,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable + leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -1679,10 +2157,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be - true for the pod to fit on a node. Selector which must - match a node's labels for the pod to be scheduled on - that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the @@ -1698,12 +2175,50 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization + ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key + value map that stores additional annotations for + the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility @@ -1711,54 +2226,72 @@ spec: roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to + skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to - tolerates any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; - this combination means to match all values and - all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -1766,6 +2299,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1794,13 +2333,29 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag + for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number + of replicas for the authorization controller deployment + type: integer certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority + used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string + controllerReconcileInterval: + description: The interval which the reconcile of each + controller is run + type: string credentials: description: ComponentCred is to store the velero credential contents @@ -1850,17 +2405,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -1873,10 +2427,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -1885,12 +2439,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1903,12 +2456,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -1929,6 +2481,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1938,10 +2491,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret @@ -1950,11 +2503,16 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server + hostname + type: string image: description: Image is the image tag for the Container type: string @@ -1962,6 +2520,14 @@ spec: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret + path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable + leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility @@ -1972,10 +2538,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be - true for the pod to fit on a node. Selector which must - match a node's labels for the pod to be scheduled on - that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the @@ -1991,12 +2556,50 @@ spec: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy + server ingress configuration + items: + description: ProxyServerIngress is the authorization + ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key + value map that stores additional annotations for + the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas + for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility @@ -2004,54 +2607,72 @@ spec: roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas + for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to + skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas + for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy + server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas + for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to - tolerates any taint that matches the triple - using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; - this combination means to match all values and - all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array @@ -2059,6 +2680,12 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -2104,9 +2731,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 5f4effb0b..b64fc8865 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,9 +1,7 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - nonResourceURLs: @@ -473,6 +471,87 @@ rules: - get - list - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + - csmtenants + - storages + verbs: + - get + - list +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/status + verbs: + - get + - patch + - update - apiGroups: - discovery.k8s.io resources: @@ -1055,8 +1134,8 @@ rules: verbs: - create - delete + - get - list + - patch - update - watch - - get - - patch diff --git a/controllers/csm_controller.go b/controllers/csm_controller.go index 252d41415..156692de8 100644 --- a/controllers/csm_controller.go +++ b/controllers/csm_controller.go @@ -135,7 +135,7 @@ var ( // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshotcontents/status,verbs=get;list;watch;patch;update // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshots,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshots/status,verbs=get;list;watch;update;patch -// +kubebuilder:rbac:groups="volumegroup.storage.dell.com",resources=dellcsivolumegroupsnapshots;dellcsivolumegroupsnapshots/status,verbs=create;list;watch;delete;update +// +kubebuilder:rbac:groups="volumegroup.storage.dell.com",resources=dellcsivolumegroupsnapshots;dellcsivolumegroupsnapshots/status,verbs=create;list;watch;delete;update;get;patch // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=* // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions/status,verbs=get;list;patch;watch // +kubebuilder:rbac:groups="storage.k8s.io",resources=volumeattachments/status,verbs=patch @@ -218,6 +218,16 @@ var ( // +kubebuilder:rbac:groups="",resources=configmaps,resourceNames=cert-manager-cainjector-leader-election;cert-manager-cainjector-leader-election-core;cert-manager-controller,verbs=get;update;patch // +kubebuilder:rbac:groups="batch",resources=jobs,verbs=list;watch;create;update;delete // +kubebuilder:rbac:groups="storage.k8s.io",resources=csistoragecapacities,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages;csmtenants;csmroles,verbs=get;list +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmroles/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=csmtenants/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages,verbs=watch;create;update;patch;delete +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages/finalizers,verbs=update +// +kubebuilder:rbac:groups="csm-authorization.storage.dell.com",resources=storages/status,verbs=get;update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -692,6 +702,9 @@ func (r *ContainerStorageModuleReconciler) SyncCSM(ctx context.Context, cr csmv1 authorizationEnabled, _ := utils.IsModuleEnabled(ctx, cr, csmv1.AuthorizationServer) if authorizationEnabled { log.Infow("Create/Update authorization") + if err := r.reconcileAuthorizationCRDS(ctx, operatorConfig, cr, ctrlClient); err != nil { + return fmt.Errorf("failed to deploy authorization proxy server: %v", err) + } if err := r.reconcileAuthorization(ctx, false, operatorConfig, cr, ctrlClient); err != nil { return fmt.Errorf("failed to deploy authorization proxy server: %v", err) } @@ -946,6 +959,14 @@ func (r *ContainerStorageModuleReconciler) reconcileObservability(ctx context.Co // reconcileAuthorization - deploy authorization proxy server func (r *ContainerStorageModuleReconciler) reconcileAuthorization(ctx context.Context, isDeleting bool, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient client.Client) error { log := logger.GetLogger(ctx) + + if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthCertManagerComponent) { + log.Infow("Reconcile authorization cert-manager") + if err := modules.CommonCertManager(ctx, isDeleting, op, cr, ctrlClient); err != nil { + return fmt.Errorf("unable to reconcile cert-manager for authorization: %v", err) + } + } + if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthProxyServerComponent) { log.Infow("Reconcile authorization proxy-server") if err := modules.AuthorizationServerDeployment(ctx, isDeleting, op, cr, ctrlClient); err != nil { @@ -957,28 +978,33 @@ func (r *ContainerStorageModuleReconciler) reconcileAuthorization(ctx context.Co } } - if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthCertManagerComponent) { - log.Infow("Reconcile authorization cert-manager") - if err := modules.CommonCertManager(ctx, isDeleting, op, cr, ctrlClient); err != nil { - return fmt.Errorf("unable to reconcile cert-manager for authorization: %v", err) + if r.Config.IsOpenShift { + log.Infow("Using OpenShift default ingress controller") + if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) { + log.Warnw("openshift environment, skipping deployment of nginx ingress controller") } - } - - if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) { - log.Infow("Reconcile authorization nginx ingress controller") - if err := modules.NginxIngressController(ctx, isDeleting, op, cr, ctrlClient); err != nil { - return fmt.Errorf("unable to reconcile nginx ingress controller for authorization: %v", err) + } else { + if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) { + log.Infow("Reconcile authorization NGINX Ingress Controller") + if err := modules.NginxIngressController(ctx, isDeleting, op, cr, ctrlClient); err != nil { + return fmt.Errorf("unable to reconcile nginx ingress controller for authorization: %v", err) + } } } - // Authorization Ingress rules are applied after NGINX ingress controller is installed + // Authorization Ingress rules if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthProxyServerComponent) { log.Infow("Reconcile authorization Ingresses") - if err := modules.AuthorizationIngress(ctx, isDeleting, op, cr, r, ctrlClient); err != nil { + if err := modules.AuthorizationIngress(ctx, isDeleting, r.Config.IsOpenShift, cr, r, ctrlClient); err != nil { return fmt.Errorf("unable to reconcile authorization ingress rules: %v", err) } } + log.Infow("Reconcile authorization certificates") + if err := modules.InstallWithCerts(ctx, isDeleting, op, cr, ctrlClient); err != nil { + return fmt.Errorf("unable to install certificates for Authorization: %v", err) + } + return nil } @@ -999,6 +1025,21 @@ func (r *ContainerStorageModuleReconciler) reconcileAppMobilityCRDS(ctx context. return nil } +// reconcileAuthorizationCRDS - reconcile Authorization CRDs +func (r *ContainerStorageModuleReconciler) reconcileAuthorizationCRDS(ctx context.Context, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient client.Client) error { + log := logger.GetLogger(ctx) + + // Install Authorization CRDs + if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthProxyServerComponent) { + log.Infow("Reconcile Authorization CRDS") + if err := modules.AuthCrdDeploy(ctx, op, cr, ctrlClient); err != nil { + return fmt.Errorf("unable to reconcile Authorization CRDs: %v", err) + } + } + + return nil +} + // reconcileAppMobility - deploy Application Mobility func (r *ContainerStorageModuleReconciler) reconcileAppMobility(ctx context.Context, isDeleting bool, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient client.Client) error { log := logger.GetLogger(ctx) diff --git a/controllers/csm_controller_test.go b/controllers/csm_controller_test.go index f7e86d699..754ce14b4 100644 --- a/controllers/csm_controller_test.go +++ b/controllers/csm_controller_test.go @@ -189,28 +189,35 @@ func (suite *CSMControllerTestSuite) TestReconcile() { } func (suite *CSMControllerTestSuite) TestReconcileError() { - suite.runFakeCSMManagerError("", false) + suite.runFakeCSMManagerError("", false, false) } func (suite *CSMControllerTestSuite) TestAuthorizationServerReconcile() { suite.makeFakeAuthServerCSM(csmName, suite.namespace, getAuthProxyServer()) - suite.runFakeAuthCSMManager("timed out waiting for the condition", false) + suite.runFakeAuthCSMManager("timed out waiting for the condition", false, false) suite.deleteCSM(csmName) - suite.runFakeAuthCSMManager("", true) + suite.runFakeAuthCSMManager("", true, false) +} + +func (suite *CSMControllerTestSuite) TestAuthorizationServerReconcileOCP() { + suite.makeFakeAuthServerCSMOCP(csmName, suite.namespace, getAuthProxyServerOCP()) + suite.runFakeAuthCSMManager("", false, true) + suite.deleteCSM(csmName) + suite.runFakeAuthCSMManager("", true, true) } func (suite *CSMControllerTestSuite) TestAuthorizationServerPreCheck() { suite.makeFakeAuthServerCSMWithoutPreRequisite(csmName, suite.namespace) - suite.runFakeAuthCSMManager("failed authorization proxy server validation", false) + suite.runFakeAuthCSMManager("failed authorization proxy server validation", false, false) suite.deleteCSM(csmName) - suite.runFakeAuthCSMManager("", true) + suite.runFakeAuthCSMManager("", true, false) } func (suite *CSMControllerTestSuite) TestAppMobReconcile() { suite.makeFakeAppMobCSM(csmName, suite.namespace, getAppMob()) - suite.runFakeAuthCSMManager("", false) + suite.runFakeAuthCSMManager("", false, false) suite.deleteCSM(csmName) - suite.runFakeAuthCSMManager("", true) + suite.runFakeAuthCSMManager("", true, false) } func (suite *CSMControllerTestSuite) TestResiliencyReconcile() { @@ -1067,8 +1074,11 @@ func (suite *CSMControllerTestSuite) runFakeCSMManager(expectedErr string, recon } } -func (suite *CSMControllerTestSuite) runFakeCSMManagerError(expectedErr string, reconcileDelete bool) { +func (suite *CSMControllerTestSuite) runFakeCSMManagerError(expectedErr string, reconcileDelete, isOpenShift bool) { reconciler := suite.createReconciler() + if isOpenShift { + reconciler.Config.IsOpenShift = true + } // invoke controller Reconcile to test. Typically, k8s would call this when resource is changed res, err := reconciler.Reconcile(ctx, req) @@ -1101,8 +1111,11 @@ func (suite *CSMControllerTestSuite) runFakeCSMManagerError(expectedErr string, } } -func (suite *CSMControllerTestSuite) runFakeAuthCSMManager(expectedErr string, reconcileDelete bool) { +func (suite *CSMControllerTestSuite) runFakeAuthCSMManager(expectedErr string, reconcileDelete, isOpenShift bool) { reconciler := suite.createReconciler() + if isOpenShift { + reconciler.Config.IsOpenShift = true + } // invoke controller Reconcile to test. Typically k8s would call this when resource is changed res, err := reconciler.Reconcile(ctx, req) @@ -1478,7 +1491,7 @@ func getAuthModule() []csmv1.Module { { Name: csmv1.Authorization, Enabled: true, - ConfigVersion: "v1.11.0", + ConfigVersion: "v2.0.0-alpha", Components: []csmv1.ContainerTemplate{ { Name: "karavi-authorization-proxy", @@ -1497,40 +1510,73 @@ func getAuthModule() []csmv1.Module { func getAuthProxyServer() []csmv1.Module { return []csmv1.Module{ { - Name: csmv1.AuthorizationServer, - Enabled: true, - ConfigVersion: "v1.11.0", + Name: csmv1.AuthorizationServer, + Enabled: true, + ConfigVersion: "v2.0.0-alpha", + ForceRemoveModule: true, Components: []csmv1.ContainerTemplate{ { - Name: "karavi-authorization-proxy-server", - Enabled: &[]bool{true}[0], - Envs: []corev1.EnvVar{ + Name: "proxy-server", + Enabled: &[]bool{true}[0], + Hostname: "csm-auth.com", + ProxyServerIngress: []csmv1.ProxyServerIngress{ { - Name: "PROXY_HOST", - Value: "csm-auth.com", - }, - { - Name: "AUTHORIZATION_LOG_LEVEL", - Value: "debug", - }, - { - Name: "AUTHORIZATION_CONCURRENT_POWERFLEX_REQUESTS", - Value: "10", + IngressClassName: "nginx", + Hosts: []string{"additional-host.com"}, + Annotations: map[string]string{"test": "test"}, }, }, }, { Name: "cert-manager", Enabled: &[]bool{true}[0], - Envs: []corev1.EnvVar{}, }, { - Name: "ingress-nginx", + Name: "nginx", Enabled: &[]bool{true}[0], - Envs: []corev1.EnvVar{}, + }, + { + Name: "redis", + RedisStorageClass: "test-storage", }, }, + }, + } +} + +func getAuthProxyServerOCP() []csmv1.Module { + return []csmv1.Module{ + { + Name: csmv1.AuthorizationServer, + Enabled: true, + ConfigVersion: "v2.0.0-alpha", ForceRemoveModule: true, + Components: []csmv1.ContainerTemplate{ + { + Name: "proxy-server", + Enabled: &[]bool{true}[0], + Hostname: "csm-auth.com", + ProxyServerIngress: []csmv1.ProxyServerIngress{ + { + IngressClassName: "nginx", + Hosts: []string{"additional-host.com"}, + Annotations: map[string]string{"test": "test"}, + }, + }, + }, + { + Name: "cert-manager", + Enabled: &[]bool{true}[0], + }, + { + Name: "nginx", + Enabled: &[]bool{false}[0], + }, + { + Name: "redis", + RedisStorageClass: "test-storage", + }, + }, }, } } @@ -1712,7 +1758,7 @@ func (suite *CSMControllerTestSuite) TestReconcileObservabilityErrorBadCert() { } func (suite *CSMControllerTestSuite) TestReconcileAuthorization() { - csm := shared.MakeCSM(csmName, suite.namespace, configVersion) + csm := shared.MakeCSM(csmName, suite.namespace, shared.AuthServerConfigVersion) csm.Spec.Modules = getAuthProxyServer() reconciler := suite.createReconciler() badOperatorConfig := utils.OperatorConfig{ @@ -1721,6 +1767,9 @@ func (suite *CSMControllerTestSuite) TestReconcileAuthorization() { err := reconciler.reconcileAuthorization(ctx, false, badOperatorConfig, csm, suite.fakeClient) assert.NotNil(suite.T(), err) + err = reconciler.reconcileAuthorizationCRDS(ctx, badOperatorConfig, csm, suite.fakeClient) + assert.NotNil(suite.T(), err) + csm.Spec.Modules[0].Components[0].Enabled = &[]bool{false}[0] err = reconciler.reconcileAuthorization(ctx, false, badOperatorConfig, csm, suite.fakeClient) assert.NotNil(suite.T(), err) @@ -1733,12 +1782,36 @@ func (suite *CSMControllerTestSuite) TestReconcileAuthorization() { err = reconciler.reconcileAuthorization(ctx, false, badOperatorConfig, csm, suite.fakeClient) assert.Nil(suite.T(), err) + csm.Spec.Modules[0].Components[3].Enabled = &[]bool{false}[0] + err = reconciler.reconcileAuthorization(ctx, false, badOperatorConfig, csm, suite.fakeClient) + assert.Nil(suite.T(), err) + // Restore the status for _, c := range csm.Spec.Modules[0].Components { c.Enabled = &[]bool{false}[0] } } +func (suite *CSMControllerTestSuite) TestReconcileAuthorizationBadCert() { + csm := shared.MakeCSM(csmName, suite.namespace, configVersion) + csm.Spec.Modules = getAuthProxyServer() + reconciler := suite.createReconciler() + + goodModules := csm.Spec.Modules[0].Components + for index, component := range csm.Spec.Modules[0].Components { + if component.Name == string(csmv1.AuthorizationServer) { + csm.Spec.Modules[0].Components[index].Certificate = "bad-cert" + } + } + + fmt.Printf("[TestReconcileAuthorizationBadCert] module components: %+v\n", csm.Spec.Modules[0].Components) + + err := reconciler.reconcileAuthorization(ctx, false, operatorConfig, csm, suite.fakeClient) + assert.NotNil(suite.T(), err) + + csm.Spec.Modules[0].Components = goodModules +} + func (suite *CSMControllerTestSuite) TestReconcileAppMob() { csm := shared.MakeCSM(csmName, suite.namespace, configVersion) csm.Spec.Modules = getAppMob() @@ -1780,31 +1853,26 @@ func (suite *CSMControllerTestSuite) makeFakeCSM(name, ns string, withFinalizer err := suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module + // this secret is required by authorization module sec = shared.MakeSecret("karavi-authorization-config", ns, configVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module + // this secret is required by authorization module sec = shared.MakeSecret("proxy-authz-tokens", ns, configVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module + // this secret is required by authorization module sec = shared.MakeSecret("karavi-config-secret", ns, configVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module + // this secret is required by authorization module sec = shared.MakeSecret("proxy-storage-secret", ns, configVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module - sec = shared.MakeSecret("karavi-auth-tls", ns, configVersion) - err = suite.fakeClient.Create(ctx, sec) - assert.Nil(suite.T(), err) - // replication secrets sec = shared.MakeSecret("skip-replication-cluster-check", utils.ReplicationControllerNameSpace, configVersion) err = suite.fakeClient.Create(ctx, sec) @@ -1919,24 +1987,39 @@ func (suite *CSMControllerTestSuite) makeFakeAppMobCSM(name, ns string, _ []csmv } func (suite *CSMControllerTestSuite) makeFakeAuthServerCSM(name, ns string, _ []csmv1.Module) { - // this secret required by authorization module + // this secret is required by authorization module sec := shared.MakeSecret("karavi-config-secret", ns, shared.AuthServerConfigVersion) err := suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module + // this secret is required by authorization module sec = shared.MakeSecret("karavi-storage-secret", ns, shared.AuthServerConfigVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) - // this secret required by authorization module - sec = shared.MakeSecret("karavi-auth-tls", ns, shared.AuthServerConfigVersion) + csm := shared.MakeModuleCSM(name, ns, configVersion) + + csm.Spec.Modules = getAuthProxyServer() + csm.Spec.Modules[0].ForceRemoveModule = true + + err = suite.fakeClient.Create(ctx, &csm) + assert.Nil(suite.T(), err) +} + +func (suite *CSMControllerTestSuite) makeFakeAuthServerCSMOCP(name, ns string, _ []csmv1.Module) { + // this secret is required by authorization module + sec := shared.MakeSecret("karavi-config-secret", ns, configVersion) + err := suite.fakeClient.Create(ctx, sec) + assert.Nil(suite.T(), err) + + // this secret is required by authorization module + sec = shared.MakeSecret("karavi-storage-secret", ns, configVersion) err = suite.fakeClient.Create(ctx, sec) assert.Nil(suite.T(), err) csm := shared.MakeModuleCSM(name, ns, shared.AuthServerConfigVersion) - csm.Spec.Modules = getAuthProxyServer() + csm.Spec.Modules = getAuthProxyServerOCP() csm.Spec.Modules[0].ForceRemoveModule = true err = suite.fakeClient.Create(ctx, &csm) diff --git a/deploy/crds/storage.dell.com.crds.all.yaml b/deploy/crds/storage.dell.com.crds.all.yaml index 1067f3ac7..d300d56c5 100644 --- a/deploy/crds/storage.dell.com.crds.all.yaml +++ b/deploy/crds/storage.dell.com.crds.all.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: apexconnectivityclients.storage.dell.com spec: group: storage.dell.com @@ -38,10 +37,19 @@ spec: description: ApexConnectivityClient is the Schema for the ApexConnectivityClient API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -59,9 +67,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -103,7 +123,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -115,7 +144,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -123,8 +155,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -135,8 +170,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -154,6 +192,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -161,7 +200,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -169,17 +211,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -189,7 +241,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -203,50 +257,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -273,9 +399,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -317,7 +455,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -329,7 +476,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -337,8 +487,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -349,8 +502,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -368,6 +524,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -375,7 +532,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -383,17 +543,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -403,7 +573,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -417,50 +589,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -476,9 +720,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -520,7 +776,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -532,7 +797,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -540,8 +808,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -552,8 +823,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -571,6 +845,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -578,7 +853,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -586,17 +864,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -606,7 +894,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -620,50 +910,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -696,19 +1058,12 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: containerstoragemodules.storage.dell.com spec: group: storage.dell.com @@ -743,10 +1098,19 @@ spec: description: ContainerStorageModule is the Schema for the containerstoragemodules API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -767,9 +1131,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -811,7 +1187,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -823,7 +1208,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -831,8 +1219,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -843,8 +1234,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -862,6 +1256,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -869,7 +1264,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -877,17 +1275,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -897,7 +1305,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -911,50 +1321,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -970,9 +1452,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1014,7 +1508,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -1026,7 +1529,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -1034,8 +1540,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -1046,8 +1555,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -1065,6 +1577,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1072,7 +1585,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -1080,17 +1596,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1100,7 +1626,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -1114,50 +1642,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1192,9 +1792,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1236,7 +1848,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -1248,7 +1869,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -1256,8 +1880,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -1268,8 +1895,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -1287,6 +1917,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1294,7 +1925,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -1302,17 +1936,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1322,7 +1966,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -1336,50 +1982,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1393,9 +2111,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1437,7 +2167,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -1449,7 +2188,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -1457,8 +2199,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -1469,8 +2214,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -1488,6 +2236,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1495,7 +2244,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -1503,17 +2255,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1523,7 +2285,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -1537,50 +2301,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1599,9 +2435,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1643,7 +2491,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -1655,7 +2512,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -1663,8 +2523,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -1675,8 +2538,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -1694,6 +2560,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1701,7 +2568,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -1709,17 +2579,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1729,7 +2609,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -1743,50 +2625,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1826,9 +2780,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -1870,7 +2836,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -1882,7 +2857,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -1890,8 +2868,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -1902,8 +2883,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -1921,6 +2905,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1928,7 +2913,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -1936,17 +2924,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -1956,7 +2954,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -1970,50 +2970,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2038,9 +3110,21 @@ spec: items: type: string type: array + authorizationController: + description: AuthorizationController is the image tag for the container + type: string + authorizationControllerReplicas: + description: AuthorizationControllerReplicas is the number of replicas for the authorization controller deployment + type: integer + controllerReconcileInterval: + description: ControllerReconcileInterval is the interval which the reconcile of each controller is run. + type: string certificate: description: Certificate is a certificate used for a certificate/private-key pair type: string + certificateAuthority: + description: CertificateAuthority is a certificate authority used to validate a certificate + type: string commander: description: Commander is the image tag for the Container type: string @@ -2082,7 +3166,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. @@ -2094,7 +3187,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -2102,8 +3198,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". @@ -2114,8 +3213,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, optional for env vars' @@ -2133,6 +3235,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -2140,7 +3243,10 @@ spec: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must be defined @@ -2148,17 +3254,27 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name type: object type: array + hostname: + description: Hostname is the authorization proxy server hostname + type: string image: description: Image is the image tag for the Container type: string imagePullPolicy: description: ImagePullPolicy is the image pull policy for the image type: string + kvEnginePath: + description: kvEnginePath is the Authorization vault secret path + type: string + leaderElection: + description: LeaderElection is boolean flag to enable leader election + type: boolean licenseName: description: LicenseName is the name of the license for app-mobility type: string @@ -2168,7 +3284,9 @@ spec: nodeSelector: additionalProperties: type: string - description: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. type: object objectStoreSecretName: description: ObjectStoreSecretName is the name of the secret for the object store for app-mobility @@ -2182,50 +3300,122 @@ spec: privateKey: description: PrivateKey is a private key used for a certificate/private-key pair type: string + proxyServerIngress: + description: ProxyServerIngress is the authorization proxy server ingress configuration + items: + description: ProxyServerIngress is the authorization ingress configuration struct + properties: + annotations: + additionalProperties: + type: string + description: Annotations is an unstructured key value map that stores additional annotations for the ingress + type: object + hosts: + description: Hosts is the hosts rules for the ingress + items: + type: string + type: array + ingressClassName: + description: IngressClassName is the ingressClassName + type: string + type: object + type: array proxyService: description: ProxyService is the image tag for the Container type: string + proxyServiceReplicas: + description: ProxyServiceReplicas is the number of replicas for the proxy service deployment + type: integer redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + roleServiceReplicas: + description: RoleServiceReplicas is the number of replicas for the role service deployment + type: integer + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string + skipCertificateValidation: + description: skipCertificateValidation is the flag to skip certificate validation + type: boolean storageService: description: StorageService is the image tag for the Container type: string + storageServiceReplicas: + description: StorageServiceReplicas is the number of replicas for storage service deployment + type: integer + storageclass: + description: RedisStorageClass is the authorization proxy server redis storage class for persistence + type: string tenantService: description: TenantService is the image tag for the Container type: string + tenantServiceReplicas: + description: TenantServiceReplicas is the number of replicas for the tenant service deployment + type: integer tolerations: description: Tolerations is the list of tolerations for the driver pods items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string + vaultRole: + description: VaultRole is the role for the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2269,9 +3459,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deploy/operator.yaml b/deploy/operator.yaml index db4be986e..941966dde 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -529,6 +529,87 @@ rules: - get - list - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles + - csmtenants + - storages + verbs: + - get + - list +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmroles/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - csmtenants/status + verbs: + - get + - patch + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages + verbs: + - create + - delete + - patch + - update + - watch +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/finalizers + verbs: + - update +- apiGroups: + - csm-authorization.storage.dell.com + resources: + - storages/status + verbs: + - get + - patch + - update - apiGroups: - discovery.k8s.io resources: @@ -1111,11 +1192,11 @@ rules: verbs: - create - delete + - get - list + - patch - update - watch - - get - - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/go.mod b/go.mod index 81ba44fdb..489e4897e 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( github.com/stretchr/testify v1.9.0 github.com/vmware-tanzu/velero v1.12.0 go.uber.org/zap v1.27.0 + golang.org/x/mod v0.10.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.27.2 k8s.io/apiextensions-apiserver v0.27.2 diff --git a/go.sum b/go.sum index 7723af960..1d081e042 100644 --- a/go.sum +++ b/go.sum @@ -188,6 +188,8 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/operatorconfig/moduleconfig/authorization/v1.10.0/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v1.10.0/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.10.0/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml index 344d0258f..1ac00049c 100644 --- a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: @@ -303,7 +256,7 @@ spec: name: grpc --- # Redis -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary diff --git a/operatorconfig/moduleconfig/authorization/v1.10.0/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.10.0/ingress.yaml deleted file mode 100644 index a9de55512..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.10.0/ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - http: - paths: - - backend: - service: - name: proxy-server - port: - number: 8080 - path: / - pathType: Prefix diff --git a/operatorconfig/moduleconfig/authorization/v1.10.1/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v1.10.1/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.10.1/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v1.10.1/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.10.1/deployment.yaml index e6f3c7992..6f5312c20 100644 --- a/operatorconfig/moduleconfig/authorization/v1.10.1/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.10.1/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: @@ -303,7 +256,7 @@ spec: name: grpc --- # Redis -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary diff --git a/operatorconfig/moduleconfig/authorization/v1.10.1/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.10.1/ingress.yaml deleted file mode 100644 index a9de55512..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.10.1/ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - http: - paths: - - backend: - service: - name: proxy-server - port: - number: 8080 - path: / - pathType: Prefix diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.11.0/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/deployment.yaml index e6f3c7992..6f5312c20 100644 --- a/operatorconfig/moduleconfig/authorization/v1.11.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.11.0/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: @@ -303,7 +256,7 @@ spec: name: grpc --- # Redis -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/ingress.yaml deleted file mode 100644 index a9de55512..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.11.0/ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - http: - paths: - - backend: - service: - name: proxy-server - port: - number: 8080 - path: / - pathType: Prefix diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/nginx-ingress-controller.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/nginx-ingress-controller.yaml index bd6feeab0..e32eacae4 100644 --- a/operatorconfig/moduleconfig/authorization/v1.11.0/nginx-ingress-controller.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.11.0/nginx-ingress-controller.yaml @@ -661,4 +661,4 @@ webhooks: resources: - ingresses sideEffects: None - + diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/policies.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/policies.yaml index 0e7dc16bb..f18eb6b7f 100644 --- a/operatorconfig/moduleconfig/authorization/v1.11.0/policies.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.11.0/policies.yaml @@ -96,7 +96,7 @@ data: default claims = {} claims = input.claims - deny[msg] { + deny[msg] { claims == {} msg := sprintf("missing claims", []) } diff --git a/operatorconfig/moduleconfig/authorization/v1.11.0/upgrade-path.yaml b/operatorconfig/moduleconfig/authorization/v1.11.0/upgrade-path.yaml new file mode 100644 index 000000000..570f86544 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.11.0/upgrade-path.yaml @@ -0,0 +1,2 @@ + +minUpgradePath: v1.10.0 diff --git a/operatorconfig/moduleconfig/authorization/v1.9.0/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v1.9.0/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.9.0/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml index 4ff948e4c..741534e31 100644 --- a/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - csm: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.0/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.9.0/ingress.yaml deleted file mode 100644 index 9a7477ad3..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.9.0/ingress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 diff --git a/operatorconfig/moduleconfig/authorization/v1.9.1/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v1.9.1/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v1.9.1/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml index 5d4179ce0..be6d2f4a4 100644 --- a/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml @@ -242,53 +242,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - app: storage-service - csm: - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- apiVersion: v1 kind: Service metadata: diff --git a/operatorconfig/moduleconfig/authorization/v1.9.1/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.9.1/ingress.yaml deleted file mode 100644 index 9a7477ad3..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.9.1/ingress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/authorization-crds.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/authorization-crds.yaml new file mode 100644 index 000000000..8c885df97 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/authorization-crds.yaml @@ -0,0 +1,415 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmroles.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMRole + listKind: CSMRoleList + plural: csmroles + singular: csmrole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMRole is the Schema for the csmroles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMRoleSpec defines the desired state of CSMRole + properties: + pool: + type: string + quota: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + systemID: + type: string + systemType: + type: string + type: object + status: + description: CSMRoleStatus defines the observed state of CSMRole + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Role.status.conditions.type are: "Available", "NotAvailable", and "UnKnown" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmtenants.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMTenant + listKind: CSMTenantList + plural: csmtenants + singular: csmtenant + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMTenant is the Schema for the csmtenants API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMTenantSpec defines the desired state of CSMTenant + properties: + approveSdc: + type: boolean + revoke: + type: boolean + roles: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + volumePrefix: + maxLength: 3 + minLength: 1 + type: string + required: + - approveSdc + - revoke + type: object + status: + description: CSMTenantStatus defines the observed state of CSMTenant + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: storages.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: Storage + listKind: StorageList + plural: storages + singular: storage + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Storage is the Schema for the storages API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: StorageSpec defines the desired state of Storage + properties: + credentialPath: + type: string + credentialStore: + type: string + endpoint: + type: string + pollInterval: + type: string + skipCertificateValidation: + type: boolean + systemID: + type: string + type: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + required: + - skipCertificateValidation + type: object + status: + description: StorageStatus defines the observed state of Storage + properties: + conditions: + description: 'Storage.status.conditions.type are: "Available", "NotAvailable", + and "UnKnown"' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/cert-manager.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/cert-manager.yaml new file mode 100644 index 000000000..ffc9f5f1f --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/cert-manager.yaml @@ -0,0 +1,1104 @@ +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Source: cert-manager/templates/cainjector-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: -cert-manager-cainjector + namespace: "" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +--- +# Source: cert-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: -cert-manager + namespace: "" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +--- +# Source: cert-manager/templates/webhook-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: -cert-manager-webhook + namespace: "" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["auditregistration.k8s.io"] + resources: ["auditsinks"] + verbs: ["get", "list", "watch", "update"] +--- +# Source: cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [ "networking.x-k8s.io" ] + resources: [ "httproutes" ] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +# Source: cert-manager/templates/rbac.yaml +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["gateways", "httproutes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-edit + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] +--- +# Source: cert-manager/templates/rbac.yaml +# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["signers"] + verbs: ["approve"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] +--- +# Source: cert-manager/templates/rbac.yaml +# Permission to: +# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.6.1" +rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/status"] + verbs: ["update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + verbs: ["sign"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: -cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +rules: +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-cainjector +subjects: + - name: -cert-manager-cainjector + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-issuers +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-clusterissuers +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: -cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-certificates +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-orders +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-challenges +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-ingress-shim +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-approve:cert-manager-io +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-controller-certificatesigningrequests +subjects: + - name: -cert-manager + namespace: "" + kind: ServiceAccount +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: -cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -cert-manager-webhook:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: -cert-manager-webhook + namespace: +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: -cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: -cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +rules: + # Used for leader election by the controller + # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: -cert-manager-webhook:dynamic-serving + namespace: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["cert-manager-webhook-ca"] + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: -cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: -cert-manager-cainjector:leaderelection +subjects: + - kind: ServiceAccount + name: -cert-manager-cainjector + namespace: +--- +# Source: cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: -cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: -cert-manager:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: -cert-manager + namespace: +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: -cert-manager-webhook:dynamic-serving + namespace: "" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: -cert-manager-webhook:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: -cert-manager-webhook + namespace: +--- +# Source: cert-manager/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: -cert-manager + namespace: "" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: 9402 + selector: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" +--- +# Source: cert-manager/templates/webhook-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: -cert-manager-webhook + namespace: "" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +spec: + type: ClusterIP + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 10250 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" +--- +# Source: cert-manager/templates/cainjector-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: -cert-manager-cainjector + namespace: "" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.6.1" + spec: + serviceAccountName: -cert-manager-cainjector + securityContext: + runAsNonRoot: true + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-cainjector:v1.6.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: cert-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: -cert-manager + namespace: "" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + template: + metadata: + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.6.1" + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: -cert-manager + securityContext: + runAsNonRoot: true + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v1.6.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + ports: + - containerPort: 9402 + protocol: TCP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: cert-manager/templates/webhook-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: -cert-manager-webhook + namespace: "" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" + spec: + serviceAccountName: -cert-manager-webhook + securityContext: + runAsNonRoot: true + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-webhook:v1.6.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca + - --dynamic-serving-dns-names=-cert-manager-webhook,-cert-manager-webhook.,-cert-manager-webhook..svc + ports: + - name: https + protocol: TCP + containerPort: 10250 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: cert-manager/templates/webhook-mutating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: -cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" + annotations: + cert-manager.io/inject-ca-from-secret: "/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + # We don't actually support `v1beta1` but is listed here as it is a + # required value for + # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). + # The API server reads the supported versions in order, so _should always_ + # attempt a `v1` request which is understood by the cert-manager webhook. + # Any `v1beta1` request will return an error and fail closed for that + # resource (the whole object request is rejected). When we no longer + # support v1.16 we can remove `v1beta1` from this list. + admissionReviewVersions: ["v1", "v1beta1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 10 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: -cert-manager-webhook + namespace: "" + path: /mutate +--- +# Source: cert-manager/templates/webhook-validating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: -cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.6.1" + annotations: + cert-manager.io/inject-ca-from-secret: "/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - cert-manager + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + # We don't actually support `v1beta1` but is listed here as it is a + # required value for + # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). + # The API server reads the supported versions in order, so _should always_ + # attempt a `v1` request which is understood by the cert-manager webhook. + # Any `v1beta1` request will return an error and fail closed for that + # resource (the whole object request is rejected). When we no longer + # support v1.16 we can remove `v1beta1` from this list. + admissionReviewVersions: ["v1", "v1beta1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 10 + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: -cert-manager-webhook + namespace: "" + path: /validate \ No newline at end of file diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/container.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/container.yaml new file mode 100644 index 000000000..bb11458ed --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/container.yaml @@ -0,0 +1,27 @@ +name: karavi-authorization-proxy +imagePullPolicy: IfNotPresent +image: dellemc/csm-authorization-sidecar:v2.0.0-alpha +env: + - name: PROXY_HOST + value: "" + - name: INSECURE + value: "true" + - name: PLUGIN_IDENTIFIER + value: + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh +volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: + mountPath: /etc/karavi-authorization diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/custom-cert.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/custom-cert.yaml new file mode 100644 index 000000000..e3a89dd86 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/custom-cert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + # replace with actual base64-encoded certificate + tls.crt: + # replace with actual base64-encoded private key + tls.key: +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml new file mode 100644 index 000000000..fd073a1cd --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml @@ -0,0 +1,896 @@ +apiVersion: v1 +kind: Secret +metadata: + name: redis-csm-secret + namespace: +type: kubernetes.io/basic-auth +stringData: + password: K@ravi123! + commander_user: dev +--- +# Proxy service +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-server + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +subjects: + - kind: ServiceAccount + name: proxy-server + namespace: +roleRef: + kind: ClusterRole + name: proxy-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy-server + namespace: + labels: + app: proxy-server +spec: + replicas: + selector: + matchLabels: + app: proxy-server + template: + metadata: + labels: + csm: + app: proxy-server + spec: + serviceAccountName: proxy-server + containers: + - name: proxy-server + image: + imagePullPolicy: Always + env: + - name: SENTINELS + value: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel=$(SENTINELS)" + - "--redis-password=$(REDIS_PASSWORD)" + - "--tenant-service=tenant-service..svc.cluster.local:50051" + - "--role-service=role-service..svc.cluster.local:50051" + - "--storage-service=storage-service..svc.cluster.local:50051" + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: + imagePullPolicy: IfNotPresent + args: + - "--policies=" + - "--enable-data" + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy-server + namespace: +spec: + selector: + app: proxy-server + ports: + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 +--- +# Tenant Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tenant-service + namespace: + labels: + app: tenant-service +spec: + replicas: + selector: + matchLabels: + app: tenant-service + template: + metadata: + labels: + csm: + app: tenant-service + spec: + containers: + - name: tenant-service + image: + imagePullPolicy: Always + env: + - name: SENTINELS + value: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel=$(SENTINELS)" + - "--redis-password=$(REDIS_PASSWORD)" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: tenant-service + namespace: +spec: + selector: + app: tenant-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc +--- +# Role Service +apiVersion: v1 +kind: ServiceAccount +metadata: + name: role-service + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +subjects: + - kind: ServiceAccount + name: role-service + namespace: +roleRef: + kind: ClusterRole + name: role-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: role-service + namespace: + labels: + app: role-service +spec: + replicas: + selector: + matchLabels: + app: role-service + template: + metadata: + labels: + csm: + app: role-service + spec: + serviceAccountName: role-service + containers: + - name: role-service + image: + imagePullPolicy: Always + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: role-service + namespace: +spec: + selector: + app: role-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc +--- +# Storage service +apiVersion: v1 +kind: ServiceAccount +metadata: + name: storage-service + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +rules: + - apiGroups: [""] + resources: ["secrets", "events"] + verbs: ["get", "patch","post", create] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants", "csmroles"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +subjects: + - kind: ServiceAccount + name: storage-service + namespace: +roleRef: + kind: ClusterRole + name: storage-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: storage-service-tokenreview-binding + namespace: +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: storage-service + namespace: +--- +apiVersion: v1 +kind: Service +metadata: + name: storage-service + namespace: +spec: + selector: + app: storage-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: storage-service-selfsigned + namespace: +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: storage-service-selfsigned + namespace: +spec: + secretName: storage-service-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + dnsNames: + - csm-authorization-storage-service + issuerRef: + name: storage-service-selfsigned + kind: Issuer + group: cert-manager.io +--- +# Controller +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authorization-controller + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +rules: + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/finalizers"] + verbs: ["update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "delete", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +subjects: + - kind: ServiceAccount + name: authorization-controller + namespace: +roleRef: + kind: ClusterRole + name: authorization-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authorization-controller + namespace: + labels: + app: authorization-controller +spec: + replicas: + selector: + matchLabels: + app: authorization-controller + template: + metadata: + labels: + csm: + app: authorization-controller + spec: + serviceAccountName: authorization-controller + containers: + - name: authorization-controller + image: + imagePullPolicy: Always + args: + - "--authorization-namespace=" + - "--health-probe-bind-address=:8081" + - "--leader-elect=" + - "--tenant-service-address=tenant-service..svc.cluster.local:50051" + - "--storage-service-address=storage-service..svc.cluster.local:50051" + - "--role-service-address=role-service..svc.cluster.local:50051" + - "--controller-reconcile-interval=" + env: + - name: NAMESPACE + value: + ports: + - containerPort: 50052 + name: grpc +--- +apiVersion: v1 +kind: Service +metadata: + name: authorization-controller + namespace: +spec: + selector: + app: authorization-controller + ports: + - port: 50052 + targetPort: 50052 + name: grpc +--- +# Redis +apiVersion: v1 +kind: Service +metadata: + name: + namespace: +spec: + type: + clusterIP: None + selector: + app: + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 + name: +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: + namespace: +spec: + serviceName: + replicas: + selector: + matchLabels: + app: + template: + metadata: + labels: + csm: + app: + spec: + initContainers: + - name: config + image: + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + + command: [ "sh", "-c" ] + args: + - | + cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf + + echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf + echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf + + echo "Finding master..." + MASTER_FDQN=`hostname -f | sed -e 's/redis-csm-[0-9]\./redis-csm-0./'` + echo "Master at " $MASTER_FQDN + if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then + echo "No sentinel found." + + if [ "$(hostname)" = "redis-csm-0" ]; then + echo "This is redis master, not updating config..." + else + echo "This is redis slave, updating redis.conf..." + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + else + echo "Sentinel found, finding master" + MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + containers: + - name: + image: + command: [ "redis-server" ] + args: [ "/etc/redis/redis.conf" ] + ports: + - containerPort: 6379 + name: + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + volumes: + - name: redis-primary-volume + emptyDir: {} + - name: config + emptyDir: {} + - name: configmap + configMap: + name: redis-csm-cm +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: + namespace: +spec: + replicas: 1 + selector: + matchLabels: + app: + template: + metadata: + labels: + csm: + app: + tier: backend + spec: + containers: + - name: + image: + imagePullPolicy: IfNotPresent + env: + - name: SENTINELS + value: + - name: K8S_SIGTERM + value: "1" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_USER + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: commander_user + ports: + - name: + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Service +metadata: + name: + namespace: +spec: + selector: + app: + ports: + - protocol: TCP + port: 8081 + targetPort: 8081 +--- +# Sentinel +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: + namespace: +spec: + serviceName: + replicas: + selector: + matchLabels: + app: + template: + metadata: + labels: + csm: + app: + spec: + initContainers: + - name: config + image: + command: [ "sh", "-c" ] + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - | + replicas=$( expr $(()) - 1) + for i in $(seq 0 $replicas) + do + node=$( echo "-$i." ) + nodes=$( echo "$nodes*$node" ) + done + loop=$(echo $nodes | sed -e "s/"*"/\n/g") + + foundMaster=false + + while [ "$foundMaster" = "false" ] + do + for i in $loop + do + echo "Finding master at $i" + ROLE=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep role | cut -d ":" -f2) + if [ "$ROLE" = "master" ]; then + MASTER=$i.authorization.svc.cluster.local + echo "Master found at $MASTER..." + foundMaster=true + break + else + MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) + if [ "$MASTER" = "" ]; then + echo "Master not found..." + echo "Waiting 5 seconds for redis pods to come up..." + sleep 5 + MASTER= + else + echo "Master found at $MASTER..." + foundMaster=true + break + fi + fi + done + + if [ "$foundMaster" = "true" ]; then + break + else + echo "Master not found, wait for 30s before attempting again" + sleep 30 + fi + done + + echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master + echo "port 5000 + sentinel resolve-hostnames yes + sentinel announce-hostnames yes + $(cat /tmp/master) + sentinel down-after-milliseconds mymaster 5000 + sentinel failover-timeout mymaster 60000 + sentinel parallel-syncs mymaster 2 + sentinel auth-pass mymaster $REDIS_PASSWORD + " > /etc/redis/sentinel.conf + cat /etc/redis/sentinel.conf + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + containers: + - name: + image: + command: ["redis-sentinel"] + args: ["/etc/redis/sentinel.conf"] + ports: + - containerPort: 5000 + name: + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + - name: data + mountPath: /data + volumes: + - name: redis-config + emptyDir: {} + - name: data + emptyDir : {} +--- +apiVersion: v1 +kind: Service +metadata: + name: + namespace: +spec: + clusterIP: None + ports: + - port: 5000 + targetPort: 5000 + name: + selector: + app: +--- +apiVersion: v1 +kind: Service +metadata: + name: -svc + namespace: +spec: + type: NodePort + ports: + - port: 5000 + targetPort: 5000 + name: -svc + selector: + app: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: auth-resource-reader +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps", "pods"] + verbs: ["get", "watch", "list", "patch", "create", "update", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["ingress-controller-leader"] + verbs: ["get", "update"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:serviceaccounts: +subjects: + - kind: Group + name: system:serviceaccounts: + namespace: +roleRef: + kind: ClusterRole + name: auth-resource-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: view +--- +# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt +# list configmaps to be loaded into OPA as policies. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: opa-viewer +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts: + apiGroup: rbac.authorization.k8s.io +--- +# Define role for OPA/kube-mgmt to update configmaps with policy status. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +--- +# Grant OPA/kube-mgmt role defined above. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: + name: opa-configmap-modifier +roleRef: + kind: Role + name: configmap-modifier + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts: + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-server + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +subjects: + - kind: ServiceAccount + name: proxy-server + namespace: +roleRef: + kind: ClusterRole + name: proxy-server + apiGroup: rbac.authorization.k8s.io diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/local-provisioner.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/local-provisioner.yaml new file mode 100644 index 000000000..ca7f530f3 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/local-provisioner.yaml @@ -0,0 +1,21 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: csm-authorization-local-storage +provisioner: kubernetes.io/no-provisioner +volumeBindingMode: WaitForFirstConsumer +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: csm-authorization-redis +spec: + capacity: + storage: 8Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Recycle + storageClassName: csm-authorization-local-storage + hostPath: + path: /csm-authorization/redis diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/nginx-ingress-controller.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/nginx-ingress-controller.yaml new file mode 100644 index 000000000..fb221c7fc --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/nginx-ingress-controller.yaml @@ -0,0 +1,663 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx + namespace: +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission + namespace: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx + namespace: +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-controller-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission + namespace: +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +- apiGroups: + - "" + resources: + - namespaces + resourceNames: + - authorization + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx + namespace: +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: -ingress-nginx +subjects: +- kind: ServiceAccount + name: -ingress-nginx + namespace: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission + namespace: +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: -ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: -ingress-nginx-admission + namespace: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -ingress-nginx +subjects: +- kind: ServiceAccount + name: -ingress-nginx + namespace: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: -ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: -ingress-nginx-admission + namespace: +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-controller + namespace: +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-controller + namespace: +spec: + externalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-controller-admission + namespace: +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-controller + namespace: +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + csm: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + spec: + containers: + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/-ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/-ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --v=3 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: -ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: -ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission-create + namespace: +spec: + ttlSecondsAfterFinished: 10 + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=-ingress-nginx-controller-admission,-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=-ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: -ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission-patch + namespace: +spec: + ttlSecondsAfterFinished: 10 + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=-ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=-ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + serviceAccountName: -ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.1.3 + name: -ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: -ingress-nginx-controller-admission + namespace: + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml new file mode 100644 index 000000000..ff1ac70a9 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml @@ -0,0 +1,365 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: common + namespace: +data: + common.rego: | + package karavi.common + default roles = {} + roles = {} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-create + namespace: +data: + volumes-create.rego: | + package karavi.volumes.create + + import data.karavi.common + default allow = false + + allow { + count(permitted_roles) != 0 + count(deny) == 0 + } + + deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) + } + + deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) + } + + permitted_roles[v] = y { + claimed_roles := split(input.claims.roles, ",") + + some i + a := claimed_roles[i] + common.roles[a] + + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) + } + + permitted_roles[v] = y { + claimed_roles := split(input.claims.roles, ",") + + some i + a := claimed_roles[i] + common.roles[a] + + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-delete + namespace: +data: + volumes-delete.rego: | + package karavi.volumes.delete + + import data.karavi.common + + default response = { + "allowed": true + } + response = { + "allowed": false, + "status": { + "reason": reason, + }, + } { + reason = concat(", ", deny) + reason != "" + } + + deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) + } + + default claims = {} + claims = input.claims + deny[msg] { + claims == {} + msg := sprintf("missing claims", []) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-map + namespace: +data: + volumes-map.rego: | + package karavi.volumes.map + + import data.karavi.common + + default response = { + "allowed": true + } + response = { + "allowed": false, + "status": { + "reason": reason, + }, + } { + reason = concat(", ", deny) + reason != "" + } + + deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) + } + + default claims = {} + claims = input.claims + deny[msg] { + claims == {} + msg := sprintf("missing claims", []) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powermax-volumes-create + namespace: +data: + volumes-powermax-create.rego: | + package karavi.volumes.powermax.create + + import data.karavi.common + + default allow = false + + allow { + count(permitted_roles) != 0 + count(deny) == 0 + } + + deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) + } + + deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) + } + + permitted_roles[v] = y { + claimed_roles := split(input.claims.roles, ",") + + some i + a := claimed_roles[i] + common.roles[a] + + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) + } + + permitted_roles[v] = y { + claimed_roles := split(input.claims.roles, ",") + + some i + a := claimed_roles[i] + common.roles[a] + + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-unmap + namespace: +data: + volumes-unmap.rego: | + package karavi.volumes.unmap + + import data.karavi.common + + default response = { + "allowed": true + } + response = { + "allowed": false, + "status": { + "reason": reason, + }, + } { + reason = concat(", ", deny) + reason != "" + } + + deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) + } + + default claims = {} + claims = input.claims + deny[msg] { + claims == {} + msg := sprintf("missing claims", []) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sdc-approve + namespace: +data: + sdc-approve.rego: | + package karavi.sdc.approve + + import data.karavi.common + + # Allow requests by default. + default allow = true + + default response = { + "allowed": true + } + response = { + "allowed": false, + "status": { + "reason": reason, + }, + } { + reason = concat(", ", deny) + reason != "" + } + + default claims = {} + claims = input.claims + deny[msg] { + claims == {} + msg := sprintf("missing claims", []) + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: redis-csm-cm + namespace: + +data: + redis.conf: | +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snapshot-create + namespace: +data: + snapshot-create.rego: | + package karavi.snapshot.create + + import data.karavi.common + + default allow := false + + allow { + count(permitted_roles) == count(input.request) + count(deny) == 0 + } + + # Deny if there are no roles found. + deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) + } + + # Deny if claimed roles has no match for the request. + deny[msg] { + count(permitted_roles) != count(input.request) + + unpermitted_requests := [req | + element := input.request[_] + + not permitted_roles[element.name] + + req := element + ] + + msg := sprintf( + "no roles in [%s] allow the %s Kb request on %s/%s/%s for %s", + [ + input.claims.roles, + unpermitted_requests[_].volumeSizeInKb, + input.systemtype, + input.storagesystemid, + unpermitted_requests[_].storagepool, + unpermitted_requests[_].name, + ], + ) + } + + # No OR in OPA, multiple rules are needed. + size_is_valid(a, b) { + to_number(a) >= to_number(b) + } + + # No OR in OPA, multiple rules are needed. + size_is_valid(a, _) { + to_number(a) == 0 + } + + # Create a list of permitted roles. + permitted_roles[snapshot] := roles { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # Iterate through the requests. + req := input.request[_] + + roles := [role | + sp := req.storagepool + size := req.volumeSizeInKb + + # Iterate through the roles in the request. + c_role := claimed_roles[_] + common.roles[c_role] + + system_ids := common.roles[c_role].system_types[input.systemtype].system_ids[input.storagesystemid] + pool_quota := system_ids.pool_quotas[sp] + + # Validate that the pool quota is valid. + size_is_valid(pool_quota, size) + + role := {"size": to_number(pool_quota), "storagepool": sp, "role": c_role} + ] + + # Ensure that the role list is not empty. + count(roles) != 0 + + # Set the snapshot name which creates an entry in the list. + snapshot := req.name + } diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/upgrade-path.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/upgrade-path.yaml new file mode 100644 index 000000000..570f86544 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/upgrade-path.yaml @@ -0,0 +1,2 @@ + +minUpgradePath: v1.10.0 diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/volumes.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/volumes.yaml new file mode 100644 index 000000000..ec4a5b445 --- /dev/null +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/volumes.yaml @@ -0,0 +1,6 @@ +- name: karavi-authorization-config + secret: + secretName: karavi-authorization-config +- name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate diff --git a/pkg/modules/authorization.go b/pkg/modules/authorization.go index b826b2a32..3b389809a 100644 --- a/pkg/modules/authorization.go +++ b/pkg/modules/authorization.go @@ -1,4 +1,4 @@ -// Copyright © 2021 - 2022 Dell Inc. or its subsidiaries. All Rights Reserved. +// Copyright © 2021 - 2024 Dell Inc. or its subsidiaries. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -14,6 +14,8 @@ package modules import ( "context" + "encoding/base64" + "encoding/json" "errors" "fmt" "os" @@ -22,12 +24,18 @@ import ( "strings" "time" + certificate "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" csmv1 "github.com/dell/csm-operator/api/v1" drivers "github.com/dell/csm-operator/pkg/drivers" "github.com/dell/csm-operator/pkg/logger" utils "github.com/dell/csm-operator/pkg/utils" + "golang.org/x/mod/semver" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" applyv1 "k8s.io/client-go/applyconfigurations/apps/v1" acorev1 "k8s.io/client-go/applyconfigurations/core/v1" @@ -48,70 +56,109 @@ const ( AuthPolicyManifest = "policies.yaml" // AuthLocalProvisionerManifest - AuthLocalProvisionerManifest = "local-provisioner.yaml" + // AuthCustomCert - custom certificate file + AuthCustomCert = "custom-cert.yaml" // AuthNamespace - AuthNamespace = "" - // AuthLogLevel - - AuthLogLevel = "" - // AuthConcurrentPowerFlexRequests - - AuthConcurrentPowerFlexRequests = "" - // AuthZipkinCollectorURI - - AuthZipkinCollectorURI = "" - // AuthZipkinProbability - - AuthZipkinProbability = "" // AuthServerImage - AuthServerImage = "" + // AuthProxyServiceReplicas - + AuthProxyServiceReplicas = "" // AuthOpaImage - AuthOpaImage = "" // AuthOpaKubeMgmtImage - AuthOpaKubeMgmtImage = "" // AuthTenantServiceImage - AuthTenantServiceImage = "" + // AuthTenantServiceReplicas - + AuthTenantServiceReplicas = "" // AuthRoleServiceImage - AuthRoleServiceImage = "" + // AuthRoleServiceReplicas - + AuthRoleServiceReplicas = "" // AuthStorageServiceImage - AuthStorageServiceImage = "" + // AuthStorageServiceReplicas - + AuthStorageServiceReplicas = "" // AuthRedisImage - AuthRedisImage = "" // AuthRedisCommanderImage - AuthRedisCommanderImage = "" // AuthRedisStorageClass - AuthRedisStorageClass = "" + // AuthControllerImage - + AuthControllerImage = "" + // AuthControllerReplicas - + AuthControllerReplicas = "" + // AuthLeaderElectionEnabled - + AuthLeaderElectionEnabled = "" + // AuthControllerReconcileInterval - + AuthControllerReconcileInterval = "" // AuthProxyHost - AuthProxyHost = "" // AuthProxyIngressHost - AuthProxyIngressHost = "" - // AuthProxyIngressClassName - - AuthProxyIngressClassName = "" - // AuthTenantIngressClassName - - AuthTenantIngressClassName = "" - // AuthRoleIngressClassName - - AuthRoleIngressClassName = "" - // AuthStorageIngressClassName - - AuthStorageIngressClassName = "" - - // AuthProxyServerComponent - karavi-authorization-proxy-server component - AuthProxyServerComponent = "karavi-authorization-proxy-server" + + // AuthVaultAddress - + AuthVaultAddress = "" + // AuthVaultRole - + AuthVaultRole = "" + // AuthSkipCertificateValidation - + AuthSkipCertificateValidation = "" + // AuthKvEnginePath - + AuthKvEnginePath = "" + // AuthRedisName - + AuthRedisName = "" + // AuthRedisCommander - + AuthRedisCommander = "" + // AuthRedisSentinel - + AuthRedisSentinel = "" + // AuthRedisSentinelValues - + AuthRedisSentinelValues = "" + // AuthRedisReplicas - + AuthRedisReplicas = "" + + // AuthCert - for tls secret + AuthCert = "" + // AuthPrivateKey - for tls secret + AuthPrivateKey = "" + + // AuthProxyServerComponent - proxy-server component + AuthProxyServerComponent = "proxy-server" // AuthSidecarComponent - karavi-authorization-proxy component AuthSidecarComponent = "karavi-authorization-proxy" - // AuthNginxIngressComponent - ingress-nginx component - AuthNginxIngressComponent = "ingress-nginx" + // AuthNginxIngressComponent - nginx component + AuthNginxIngressComponent = "nginx" // AuthCertManagerComponent - cert-manager component AuthCertManagerComponent = "cert-manager" + // AuthRedisComponent - redis component + AuthRedisComponent = "redis" + // AuthVaultComponent - vault component + AuthVaultComponent = "vault" // AuthLocalStorageClass - AuthLocalStorageClass = "csm-authorization-local-storage" + + // AuthCrds - name of authorization crd manifest yaml + AuthCrds = "authorization-crds.yaml" ) var ( redisStorageClass string authHostname string - proxyIngressHost string proxyIngressClassName string + authCertificate string + authPrivateKey string + secretName string + + pathType = networking.PathTypePrefix + duration = 2160 * time.Hour // 90d + renewBefore = 360 * time.Hour // 15d ) -// AuthorizationSupportedDrivers is a map containing the CSI Drivers supported by CSM Authorization. The key is driver name and the value is the driver plugin identifier +// AuthorizationSupportedDrivers ... is a map containing the CSI Drivers supported by CSM Authorization. The key is driver name and the value is the driver plugin identifier var AuthorizationSupportedDrivers = map[string]SupportedDriverParam{ "powerscale": { PluginIdentifier: drivers.PowerScalePluginIdentifier, @@ -447,7 +494,15 @@ func AuthorizationServerPrecheck(ctx context.Context, op utils.OperatorConfig, a } // Check for secrets - proxyServerSecrets := []string{"karavi-config-secret", "karavi-storage-secret"} + var proxyServerSecrets []string + switch semver.Major(auth.ConfigVersion) { + case "v2": + proxyServerSecrets = []string{"karavi-config-secret"} + case "v1": + proxyServerSecrets = []string{"karavi-config-secret", "karavi-storage-secret"} + default: + return fmt.Errorf("authorization major version %s not supported", semver.Major(auth.ConfigVersion)) + } for _, name := range proxyServerSecrets { found := &corev1.Secret{} err := r.GetClient().Get(ctx, types.NamespacedName{Name: name, Namespace: cr.GetNamespace()}, found) @@ -463,15 +518,14 @@ func AuthorizationServerPrecheck(ctx context.Context, op utils.OperatorConfig, a } // getAuthorizationServerDeployment - apply dynamic values to the deployment manifest before installation -func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.ContainerStorageModule, auth csmv1.Module) (string, error) { +func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (string, error) { YamlString := "" auth, err := getAuthorizationModule(cr) if err != nil { return YamlString, err } - deploymentPath := fmt.Sprintf("%s/moduleconfig/authorization/%s/%s", op.ConfigDirectory, auth.ConfigVersion, AuthDeploymentManifest) - buf, err := os.ReadFile(filepath.Clean(deploymentPath)) + buf, err := readConfigFile(auth, cr, op, AuthDeploymentManifest) if err != nil { return YamlString, err } @@ -480,27 +534,54 @@ func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.Containe authNamespace := cr.Namespace for _, component := range auth.Components { + // proxy-server component if component.Name == AuthProxyServerComponent { YamlString = strings.ReplaceAll(YamlString, AuthServerImage, component.ProxyService) + YamlString = strings.ReplaceAll(YamlString, AuthProxyServiceReplicas, strconv.Itoa(component.ProxyServiceReplicas)) YamlString = strings.ReplaceAll(YamlString, AuthOpaImage, component.Opa) YamlString = strings.ReplaceAll(YamlString, AuthOpaKubeMgmtImage, component.OpaKubeMgmt) YamlString = strings.ReplaceAll(YamlString, AuthTenantServiceImage, component.TenantService) + YamlString = strings.ReplaceAll(YamlString, AuthTenantServiceReplicas, strconv.Itoa(component.TenantServiceReplicas)) YamlString = strings.ReplaceAll(YamlString, AuthRoleServiceImage, component.RoleService) + YamlString = strings.ReplaceAll(YamlString, AuthRoleServiceReplicas, strconv.Itoa(component.RoleServiceReplicas)) YamlString = strings.ReplaceAll(YamlString, AuthStorageServiceImage, component.StorageService) + YamlString = strings.ReplaceAll(YamlString, AuthStorageServiceReplicas, strconv.Itoa(component.StorageServiceReplicas)) + YamlString = strings.ReplaceAll(YamlString, AuthControllerImage, component.AuthorizationController) + YamlString = strings.ReplaceAll(YamlString, AuthControllerReplicas, strconv.Itoa(component.AuthorizationControllerReplicas)) + YamlString = strings.ReplaceAll(YamlString, AuthLeaderElectionEnabled, strconv.FormatBool(component.LeaderElection)) + YamlString = strings.ReplaceAll(YamlString, AuthControllerReconcileInterval, component.ControllerReconcileInterval) + YamlString = strings.ReplaceAll(YamlString, CSMName, cr.Name) + } + + // redis component + if component.Name == AuthRedisComponent { YamlString = strings.ReplaceAll(YamlString, AuthRedisImage, component.Redis) YamlString = strings.ReplaceAll(YamlString, AuthRedisCommanderImage, component.Commander) - YamlString = strings.ReplaceAll(YamlString, CSMName, cr.Name) + YamlString = strings.ReplaceAll(YamlString, AuthRedisName, component.RedisName) + YamlString = strings.ReplaceAll(YamlString, AuthRedisCommander, component.RedisCommander) + YamlString = strings.ReplaceAll(YamlString, AuthRedisSentinel, component.Sentinel) + YamlString = strings.ReplaceAll(YamlString, AuthRedisReplicas, strconv.Itoa(component.RedisReplicas)) + + var sentinelValues []string + for i := 0; i < component.RedisReplicas; i++ { + sentinelValues = append(sentinelValues, fmt.Sprintf("sentinel-%d.sentinel.%s.svc.cluster.local:5000", i, authNamespace)) + } + sentinels := strings.Join(sentinelValues, ", ") + YamlString = strings.ReplaceAll(YamlString, AuthRedisSentinelValues, sentinels) - for _, env := range component.Envs { - if env.Name == "REDIS_STORAGE_CLASS" { - if env.Value == "" { - redisStorageClass = AuthLocalStorageClass - } else { - redisStorageClass = env.Value - } - } + if component.RedisStorageClass == "" { + redisStorageClass = AuthLocalStorageClass + } else { + redisStorageClass = component.RedisStorageClass } } + + if component.Name == AuthVaultComponent { + YamlString = strings.ReplaceAll(YamlString, AuthVaultAddress, component.VaultAddress) + YamlString = strings.ReplaceAll(YamlString, AuthVaultRole, component.VaultRole) + YamlString = strings.ReplaceAll(YamlString, AuthSkipCertificateValidation, strconv.FormatBool(component.SkipCertificateValidation)) + YamlString = strings.ReplaceAll(YamlString, AuthKvEnginePath, component.KvEnginePath) + } } YamlString = strings.ReplaceAll(YamlString, AuthNamespace, authNamespace) @@ -510,25 +591,21 @@ func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.Containe return YamlString, nil } -func getAuthorizationLocalProvisioner(op utils.OperatorConfig, cr csmv1.ContainerStorageModule, auth csmv1.Module) (bool, string, error) { +// getAuthorizationLocalProvisioner for redis +func getAuthorizationLocalProvisioner(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (bool, string, error) { auth, err := getAuthorizationModule(cr) if err != nil { return false, "", err } for _, component := range auth.Components { - if component.Name == AuthProxyServerComponent { - for _, env := range component.Envs { - if env.Name == "REDIS_STORAGE_CLASS" { - if env.Value == "" { - path := fmt.Sprintf("%s/moduleconfig/authorization/%s/%s", op.ConfigDirectory, auth.ConfigVersion, AuthLocalProvisionerManifest) - buf, err := os.ReadFile(filepath.Clean(path)) - if err != nil { - return false, "", err - } - return true, string(buf), nil - } + if component.Name == AuthRedisComponent { + if component.RedisStorageClass == "" { + buf, err := readConfigFile(auth, cr, op, AuthLocalProvisionerManifest) + if err != nil { + return false, "", err } + return true, string(buf), nil } } } @@ -537,123 +614,515 @@ func getAuthorizationLocalProvisioner(op utils.OperatorConfig, cr csmv1.Containe // AuthorizationServerDeployment - apply/delete deployment objects func AuthorizationServerDeployment(ctx context.Context, isDeleting bool, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { - useLocalStorage, yamlString, err := getAuthorizationLocalProvisioner(op, cr, csmv1.Module{}) + useLocalStorage, yamlString, err := getAuthorizationLocalProvisioner(op, cr) if err != nil { return err } if useLocalStorage { - deployObjects, err := utils.GetModuleComponentObj([]byte(yamlString)) + err = applyDeleteObjects(ctx, ctrlClient, yamlString, isDeleting) if err != nil { return err } - - for _, ctrlObj := range deployObjects { - if isDeleting { - if err := utils.DeleteObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } else { - if err := utils.ApplyObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } - } } - YamlString, err := getAuthorizationServerDeployment(op, cr, csmv1.Module{}) + YamlString, err := getAuthorizationServerDeployment(op, cr) if err != nil { return err } - deployObjects, err := utils.GetModuleComponentObj([]byte(YamlString)) + + err = applyDeleteObjects(ctx, ctrlClient, YamlString, isDeleting) if err != nil { return err } - for _, ctrlObj := range deployObjects { - if isDeleting { - if err := utils.DeleteObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } else { - if err := utils.ApplyObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } + err = applyDeleteAuthorizationStorageService(ctx, isDeleting, cr, ctrlClient) + if err != nil { + return err } return nil } -// getAuthorizationIngressRules - apply dynamic values to the Ingress manifest before installation -func getAuthorizationIngressRules(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (string, error) { - YamlString := "" +// AuthorizationStorageService - apply/delete storage service deployment and volume objects +func applyDeleteAuthorizationStorageService(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } - auth, err := getAuthorizationModule(cr) + switch semver.Major(authModule.ConfigVersion) { + case "v2": + return authorizationStorageServiceV2(ctx, isDeleting, cr, ctrlClient) + case "v1": + return authorizationStorageServiceV1(ctx, isDeleting, cr, ctrlClient) + default: + return fmt.Errorf("authorization major version %s not supported", semver.Major(authModule.ConfigVersion)) + } +} + +func authorizationStorageServiceV1(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) if err != nil { - return YamlString, err + return err + } + + // get component variables + image := "" + for _, component := range authModule.Components { + switch component.Name { + case AuthProxyServerComponent: + image = component.StorageService + } } - deploymentPath := fmt.Sprintf("%s/moduleconfig/authorization/%s/%s", op.ConfigDirectory, auth.ConfigVersion, AuthIngressManifest) - buf, err := os.ReadFile(filepath.Clean(deploymentPath)) + deployment := getStorageServiceScaffold(cr.Name, cr.Namespace, image, 1) + + // set karavi-storage-secret volume + deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{ + Name: "storage-volume", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "karavi-storage-secret", + }, + }, + }) + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "storage-volume", + MountPath: "/etc/karavi-authorization/storage", + }) + break + } + } + + deploymentBytes, err := json.Marshal(&deployment) if err != nil { - return YamlString, err + return fmt.Errorf("marshalling storage-service deployment: %w", err) } - YamlString = string(buf) - authNamespace := cr.Namespace + deploymentYaml, err := yaml.JSONToYAML(deploymentBytes) + if err != nil { + return fmt.Errorf("converting storage-service json to yaml: %w", err) + } - for _, component := range auth.Components { - if component.Name == AuthProxyServerComponent { - for _, env := range component.Envs { - if env.Name == "PROXY_HOST" { - authHostname = env.Value - } else if env.Name == "PROXY_INGRESS_HOST" { - proxyIngressHost = env.Value - } else if env.Name == "PROXY_INGRESS_CLASSNAME" { - proxyIngressClassName = env.Value - } + return applyDeleteObjects(ctx, ctrlClient, string(deploymentYaml), isDeleting) +} + +func authorizationStorageServiceV2(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + err = applyDeleteVaultCertificates(ctx, isDeleting, cr, ctrlClient) + if err != nil { + return fmt.Errorf("applying/deleting vault certificates: %w", err) + } + + replicas := 0 + sentinels := "" + image := "" + vaultAddress := "" + vaultRole := "" + vaultKVEnginePath := "" + vaultSkipCertificateValidation := false + vaultCertificate := "" + vaultPrivateKey := "" + vaultCertificateAuthority := "" + leaderElection := true + for _, component := range authModule.Components { + switch component.Name { + case AuthProxyServerComponent: + replicas = component.StorageServiceReplicas + image = component.StorageService + leaderElection = component.LeaderElection + case AuthRedisComponent: + var sentinelValues []string + for i := 0; i < component.RedisReplicas; i++ { + sentinelValues = append(sentinelValues, fmt.Sprintf("sentinel-%d.sentinel.%s.svc.cluster.local:5000", i, cr.Namespace)) } + sentinels = strings.Join(sentinelValues, ", ") + case AuthVaultComponent: + vaultAddress = component.VaultAddress + vaultRole = component.VaultRole + vaultKVEnginePath = component.KvEnginePath + vaultSkipCertificateValidation = component.SkipCertificateValidation + vaultCertificate = component.Certificate + vaultPrivateKey = component.PrivateKey + vaultCertificateAuthority = component.CertificateAuthority + default: + continue } } - YamlString = strings.ReplaceAll(YamlString, AuthNamespace, authNamespace) - YamlString = strings.ReplaceAll(YamlString, AuthProxyHost, authHostname) - YamlString = strings.ReplaceAll(YamlString, AuthProxyIngressHost, proxyIngressHost) - YamlString = strings.ReplaceAll(YamlString, AuthProxyIngressClassName, proxyIngressClassName) - YamlString = strings.ReplaceAll(YamlString, CSMName, cr.Name) + deployment := getStorageServiceScaffold(cr.Name, cr.Namespace, image, int32(replicas)) - return YamlString, nil + // set vault volumes + volume := corev1.Volume{ + Name: "vault-client-certificate", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{{}}, + }, + }, + } + + if vaultCertificateAuthority != "" { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "vault-certificate-authority", + }, + }, + }) + } + + if vaultCertificate != "" && vaultPrivateKey != "" { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "vault-client-certificate", + }, + }, + }) + } else { + volume.VolumeSource.Projected.Sources = append(volume.VolumeSource.Projected.Sources, corev1.VolumeProjection{ + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "storage-service-selfsigned-tls", + }, + }, + }) + } + deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volume) + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].VolumeMounts = append(deployment.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "vault-client-certificate", + MountPath: "/etc/vault", + }) + break + } + } + + // set redis envs + redis := []corev1.EnvVar{ + { + Name: "SENTINELS", + Value: sentinels, + }, + { + Name: "REDIS_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "redis-csm-secret", + }, + Key: "password", + }, + }, + }, + } + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].Env = append(deployment.Spec.Template.Spec.Containers[i].Env, redis...) + break + } + } + + // set arguments + args := []string{ + "--redis-sentinel=$(SENTINELS)", + "--redis-password=$(REDIS_PASSWORD)", + fmt.Sprintf("--vault-address=%s", vaultAddress), + fmt.Sprintf("--vault-role=%s", vaultRole), + fmt.Sprintf("--vault-kv-engine-path=%s", vaultKVEnginePath), + fmt.Sprintf("--vault-skip-certificate-validation=%t", vaultSkipCertificateValidation), + fmt.Sprintf("--leader-election=%t", leaderElection), + } + for i, c := range deployment.Spec.Template.Spec.Containers { + if c.Name == "storage-service" { + deployment.Spec.Template.Spec.Containers[i].Args = append(deployment.Spec.Template.Spec.Containers[i].Args, args...) + break + } + } + + deploymentBytes, err := json.Marshal(&deployment) + if err != nil { + return fmt.Errorf("marshalling storage-service deployment: %w", err) + } + + deploymentYaml, err := yaml.JSONToYAML(deploymentBytes) + if err != nil { + return fmt.Errorf("converting storage-service json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(deploymentYaml), isDeleting) + if err != nil { + return fmt.Errorf("applying storage-service deployment: %w", err) + } + return nil } -// AuthorizationIngress - apply/delete ingress objects -func AuthorizationIngress(ctx context.Context, isDeleting bool, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, r utils.ReconcileCSM, ctrlClient crclient.Client) error { - YamlString, err := getAuthorizationIngressRules(op, cr) +// getStorageServiceScaffold returns the storage-service deployment with the common elements between v1 and v2 +// callers must ensure that other elements specific for the version get set in the returned deployment +func getStorageServiceScaffold(name string, namespace string, image string, replicas int32) appsv1.Deployment { + return appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + Kind: "Deployment", + APIVersion: "apps/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "storage-service", + Namespace: namespace, + Labels: map[string]string{ + "app": "storage-service", + }, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "storage-service", + }, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "csm": name, + "app": "storage-service", + }, + }, + Spec: corev1.PodSpec{ + ServiceAccountName: "storage-service", + Containers: []corev1.Container{ + { + Name: "storage-service", + Image: image, + ImagePullPolicy: "Always", + Ports: []corev1.ContainerPort{ + { + ContainerPort: 50051, + Name: "grpc", + }, + }, + Env: []corev1.EnvVar{ + { + Name: "NAMESPACE", + Value: namespace, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "config-volume", + MountPath: "/etc/karavi-authorization/config", + }, + { + Name: "csm-config-params", + MountPath: "/etc/karavi-authorization/csm-config-params", + }, + }, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "config-volume", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "karavi-config-secret", + }, + }, + }, + { + Name: "csm-config-params", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "csm-config-params", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func applyDeleteVaultCertificates(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + // get vault certificate data from CR + vaultCertificate := "" + vaultPrivateKey := "" + vaultCertificateAuthority := "" + for _, component := range authModule.Components { + switch component.Name { + case AuthVaultComponent: + vaultCertificate = component.Certificate + vaultPrivateKey = component.PrivateKey + vaultCertificateAuthority = component.CertificateAuthority + default: + continue + } + } + + // apply/delete vault-certificate-authority secret if it was provided + if vaultCertificateAuthority != "" { + vaultCABytes, err := base64.StdEncoding.DecodeString(vaultCertificateAuthority) + if err != nil { + return fmt.Errorf("decoding vault certificate authority: %w", err) + } + + secret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-certificate-authority", + Namespace: cr.Namespace, + }, + Type: corev1.SecretTypeOpaque, + Data: map[string][]byte{ + "ca.crt": vaultCABytes, + }, + } + + secretBytes, err := json.Marshal(&secret) + if err != nil { + return fmt.Errorf("marshalling vault certificate authority secret: %w", err) + } + + yamlString, err := yaml.JSONToYAML(secretBytes) + if err != nil { + return fmt.Errorf("converting vault certificate authority json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(yamlString), isDeleting) + if err != nil { + return fmt.Errorf("applying vault certificate authority secret: %w", err) + } + } + + // apply/delete vault-client-certificate secret if it was provided + if vaultCertificate != "" && vaultPrivateKey != "" { + vaultCertBytes, err := base64.StdEncoding.DecodeString(vaultCertificate) + if err != nil { + return fmt.Errorf("decoding vault certificate: %w", err) + } + + vaultKeyBytes, err := base64.StdEncoding.DecodeString(vaultPrivateKey) + if err != nil { + return fmt.Errorf("decoding vault private key: %w", err) + } + + secret := corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-client-certificate", + Namespace: cr.Namespace, + }, + Type: corev1.SecretTypeTLS, + Data: map[string][]byte{ + "tls.crt": vaultCertBytes, + "tls.key": vaultKeyBytes, + }, + } + + secretBytes, err := json.Marshal(&secret) + if err != nil { + return fmt.Errorf("marshalling vault certificate secret: %w", err) + } + + yamlString, err := yaml.JSONToYAML(secretBytes) + if err != nil { + return fmt.Errorf("converting vault certificate json to yaml: %w", err) + } + + err = applyDeleteObjects(ctx, ctrlClient, string(yamlString), isDeleting) + if err != nil { + return fmt.Errorf("applying vault certificate secret: %w", err) + } + return nil + } + + // apply/delete storage-service-selfsigned issuer and certificate + issuer := createSelfSignedIssuer(cr, "storage-service-selfsigned") + + issuerByes, err := json.Marshal(issuer) + if err != nil { + return fmt.Errorf("marshaling storage-service-selfsigned issuer: %v", err) + } + + issuerYaml, err := yaml.JSONToYAML(issuerByes) + if err != nil { + return fmt.Errorf("converting storage-service-selfsigned issuer json to yaml: %v", err) + } + + // create/delete issuer + err = applyDeleteObjects(ctx, ctrlClient, string(issuerYaml), isDeleting) if err != nil { return err } - ingressObjects, err := utils.GetModuleComponentObj([]byte(YamlString)) + + certificate := createSelfSignedCertificate(cr, []string{fmt.Sprintf("storage-service.%s.svc.cluster.local", cr.Namespace)}, "storage-service-selfsigned", "storage-service-selfsigned-tls", "storage-service-selfsigned") + + certBytes, err := json.Marshal(certificate) + if err != nil { + return fmt.Errorf("marshaling storage-service-selfsigned certificate: %v", err) + } + + certYaml, err := yaml.JSONToYAML(certBytes) + if err != nil { + return fmt.Errorf("converting storage-service-selfsigned certificate json to yaml: %v", err) + } + + // create/delete certificate + err = applyDeleteObjects(ctx, ctrlClient, string(certYaml), isDeleting) if err != nil { return err } + return nil +} + +// AuthorizationIngress - apply/delete ingress objects +func AuthorizationIngress(ctx context.Context, isDeleting, isOpenShift bool, cr csmv1.ContainerStorageModule, r utils.ReconcileCSM, ctrlClient crclient.Client) error { + ingress, err := createIngress(isOpenShift, cr) + if err != nil { + return fmt.Errorf("creating ingress: %v", err) + } + + ingressBytes, err := json.Marshal(ingress) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } + + ingressYaml, err := yaml.JSONToYAML(ingressBytes) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } // Wait for NGINX ingress controller to be ready before creating Ingresses - if !isDeleting { + // Needed for Kubernetes only + if !isDeleting && !isOpenShift { if err := utils.WaitForNginxController(ctx, cr, r, time.Duration(10)*time.Second); err != nil { return fmt.Errorf("NGINX ingress controller is not ready: %v", err) } } - for _, ctrlObj := range ingressObjects { - if isDeleting { - if err := utils.DeleteObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } else { - if err := utils.ApplyObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } + err = applyDeleteObjects(ctx, ctrlClient, string(ingressYaml), isDeleting) + if err != nil { + return err } return nil @@ -668,8 +1137,7 @@ func getNginxIngressController(op utils.OperatorConfig, cr csmv1.ContainerStorag return YamlString, err } - nginxIngressPath := fmt.Sprintf("%s/moduleconfig/authorization/%s/%s", op.ConfigDirectory, auth.ConfigVersion, AuthNginxIngressManifest) - buf, err := os.ReadFile(filepath.Clean(nginxIngressPath)) + buf, err := readConfigFile(auth, cr, op, AuthNginxIngressManifest) if err != nil { return YamlString, err } @@ -689,23 +1157,11 @@ func NginxIngressController(ctx context.Context, isDeleting bool, op utils.Opera return err } - ctrlObjects, err := utils.GetModuleComponentObj([]byte(YamlString)) + err = applyDeleteObjects(ctx, ctrlClient, YamlString, isDeleting) if err != nil { return err } - for _, ctrlObj := range ctrlObjects { - if isDeleting { - if err := utils.DeleteObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } else { - if err := utils.ApplyObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } - } - } - return nil } @@ -718,8 +1174,7 @@ func getPolicies(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (stri return YamlString, err } - policyPath := fmt.Sprintf("%s/moduleconfig/authorization/%s/%s", op.ConfigDirectory, auth.ConfigVersion, AuthPolicyManifest) - buf, err := os.ReadFile(filepath.Clean(policyPath)) + buf, err := readConfigFile(auth, cr, op, AuthPolicyManifest) if err != nil { return YamlString, err } @@ -738,22 +1193,411 @@ func InstallPolicies(ctx context.Context, isDeleting bool, op utils.OperatorConf return err } - deployObjects, err := utils.GetModuleComponentObj([]byte(YamlString)) + err = applyDeleteObjects(ctx, ctrlClient, YamlString, isDeleting) if err != nil { return err } - for _, ctrlObj := range deployObjects { - if isDeleting { - if err := utils.DeleteObject(ctx, ctrlObj, ctrlClient); err != nil { - return err + return nil +} + +func getCerts(ctx context.Context, op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (bool, string, error) { + log := logger.GetLogger(ctx) + YamlString := "" + authNamespace := cr.Namespace + + authModule, err := getAuthorizationModule(cr) + if err != nil { + return false, YamlString, err + } + + for _, component := range authModule.Components { + if component.Name == AuthProxyServerComponent { + authHostname = component.Hostname + authCertificate = component.Certificate + authPrivateKey = component.PrivateKey + } + } + + if authCertificate != "" || authPrivateKey != "" { + // use custom tls secret + if authCertificate != "" && authPrivateKey != "" { + log.Infof("using user provided certificate and key for authorization") + buf, err := readConfigFile(authModule, cr, op, AuthCustomCert) + if err != nil { + return false, YamlString, err } + + YamlString = string(buf) + YamlString = strings.ReplaceAll(YamlString, AuthNamespace, authNamespace) + YamlString = strings.ReplaceAll(YamlString, AuthCert, authCertificate) + YamlString = strings.ReplaceAll(YamlString, AuthPrivateKey, authPrivateKey) } else { - if err := utils.ApplyObject(ctx, ctrlObj, ctrlClient); err != nil { - return err - } + return false, YamlString, fmt.Errorf("authorization install failed -- either certificate or private key missing for custom cert") + } + } else { + // use self-signed cert + log.Info("using self-signed certificate for authorization") + return true, "", nil + } + + return false, YamlString, nil +} + +// InstallWithCerts - apply/delete certificate related objects +func InstallWithCerts(ctx context.Context, isDeleting bool, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + useSelfSignedCert, YamlString, err := getCerts(ctx, op, cr) + if err != nil { + return err + } + + if useSelfSignedCert { + issuer := createSelfSignedIssuer(cr, "selfsigned") + issuerByes, err := json.Marshal(issuer) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } + + issuerYaml, err := yaml.JSONToYAML(issuerByes) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } + + // create/delete issuer + err = applyDeleteObjects(ctx, ctrlClient, string(issuerYaml), isDeleting) + if err != nil { + return err + } + + hosts, err := getHosts(cr) + if err != nil { + return err } + + cert := createSelfSignedCertificate(cr, hosts, "karavi-auth", "karavi-selfsigned-tls", "selfsigned") + + certBytes, err := json.Marshal(cert) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } + + certYaml, err := yaml.JSONToYAML(certBytes) + if err != nil { + return fmt.Errorf("marshaling ingress: %v", err) + } + + // create/delete certificate + err = applyDeleteObjects(ctx, ctrlClient, string(certYaml), isDeleting) + if err != nil { + return err + } + } + + err = applyDeleteObjects(ctx, ctrlClient, YamlString, isDeleting) + if err != nil { + return err + } + + return nil +} + +// getAuthCrdDeploy - apply and deploy authorization crd manifest +func getAuthCrdDeploy(op utils.OperatorConfig, cr csmv1.ContainerStorageModule) (string, error) { + yamlString := "" + + auth, err := getAuthorizationModule(cr) + if err != nil { + return yamlString, err + } + + buf, err := readConfigFile(auth, cr, op, AuthCrds) + if err != nil { + return yamlString, err + } + + yamlString = string(buf) + + yamlString = strings.ReplaceAll(yamlString, AuthNamespace, cr.Namespace) + + return yamlString, nil +} + +// AuthCrdDeploy - apply and delete Auth crds deployment +func AuthCrdDeploy(ctx context.Context, op utils.OperatorConfig, cr csmv1.ContainerStorageModule, ctrlClient crclient.Client) error { + auth, err := getAuthorizationModule(cr) + if err != nil { + return err + } + + // v1 does not have custom resources, so treat it like a no-op + if semver.Compare(auth.ConfigVersion, "v2.0.0-alpha") < 0 { + return nil + } + + yamlString, err := getAuthCrdDeploy(op, cr) + if err != nil { + return err + } + + err = applyDeleteObjects(ctx, ctrlClient, yamlString, false) + if err != nil { + return err } return nil } + +func createSelfSignedIssuer(cr csmv1.ContainerStorageModule, name string) *certificate.Issuer { + issuer := &certificate.Issuer{ + TypeMeta: metav1.TypeMeta{ + Kind: "Issuer", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: cr.Namespace, + }, + Spec: certificate.IssuerSpec{ + IssuerConfig: certificate.IssuerConfig{ + SelfSigned: &certificate.SelfSignedIssuer{ + CRLDistributionPoints: []string{}, + }, + }, + }, + } + + return issuer +} + +func createSelfSignedCertificate(cr csmv1.ContainerStorageModule, hosts []string, name string, secretName string, issuerName string) *certificate.Certificate { + certificate := &certificate.Certificate{ + TypeMeta: metav1.TypeMeta{ + Kind: "Certificate", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: cr.Namespace, + }, + Spec: certificate.CertificateSpec{ + SecretName: secretName, + Duration: &metav1.Duration{ + Duration: duration, // 90d + }, + RenewBefore: &metav1.Duration{ + Duration: renewBefore, // 15d + }, + Subject: &certificate.X509Subject{ + Organizations: []string{"dellemc"}, + }, + IsCA: false, + PrivateKey: &certificate.CertificatePrivateKey{ + Algorithm: "RSA", + Encoding: "PKCS1", + Size: 2048, + }, + Usages: []certificate.KeyUsage{ + "client auth", + "server auth", + }, + DNSNames: hosts, + IssuerRef: cmmetav1.ObjectReference{ + Name: issuerName, + Kind: "Issuer", + Group: "cert-manager.io", + }, + }, + } + + return certificate +} + +func createIngress(isOpenShift bool, cr csmv1.ContainerStorageModule) (*networking.Ingress, error) { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return nil, err + } + + className, err := getClassName(isOpenShift, cr) + if err != nil { + return nil, fmt.Errorf("getting ingress class name: %v", err) + } + + annotations, err := getAnnotations(isOpenShift, cr) + if err != nil { + return nil, fmt.Errorf("getting annotations: %v", err) + } + + hosts, err := getHosts(cr) + if err != nil { + return nil, fmt.Errorf("getting hosts: %v", err) + } + + rules, err := setIngressRules(cr) + if err != nil { + return nil, fmt.Errorf("setting ingress rules: %v", err) + } + + for _, component := range authModule.Components { + if component.Name == AuthProxyServerComponent { + if component.Certificate != "" && component.PrivateKey != "" { + secretName = "user-provided-tls" + } else { + secretName = "karavi-selfsigned-tls" + } + } + } + + ingress := networking.Ingress{ + TypeMeta: metav1.TypeMeta{ + Kind: "Ingress", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "proxy-server", + Namespace: cr.Namespace, + Annotations: annotations, + }, + Spec: networking.IngressSpec{ + IngressClassName: &className, + TLS: []networking.IngressTLS{ + { + Hosts: hosts, + SecretName: secretName, + }, + }, + Rules: rules, + }, + } + + return &ingress, nil +} + +func getAnnotations(isOpenShift bool, cr csmv1.ContainerStorageModule) (map[string]string, error) { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return nil, err + } + + annotations := make(map[string]string) + + if isOpenShift { + annotations["route.openshift.io/termination"] = "edge" + } + + for _, component := range authModule.Components { + if component.Name == AuthProxyServerComponent { + for _, ingress := range component.ProxyServerIngress { + for annotation, value := range ingress.Annotations { + annotations[annotation] = value + } + } + } + } + + return annotations, nil +} + +func getHosts(cr csmv1.ContainerStorageModule) ([]string, error) { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return nil, err + } + + var hosts []string + for _, component := range authModule.Components { + if component.Name == AuthProxyServerComponent { + // hostname + hosts = append(hosts, component.Hostname) + + for _, proxyServerIngress := range component.ProxyServerIngress { + // proxyServerIngress.hosts + hosts = append(hosts, proxyServerIngress.Hosts...) + } + } + } + + return hosts, nil +} + +func getClassName(isOpenShift bool, cr csmv1.ContainerStorageModule) (string, error) { + authModule, err := getAuthorizationModule(cr) + if err != nil { + return "", err + } + + for _, component := range authModule.Components { + if component.Name == AuthProxyServerComponent { + for _, proxyServerIngress := range component.ProxyServerIngress { + if !isOpenShift { + proxyIngressClassName = proxyServerIngress.IngressClassName + } else { + proxyIngressClassName = "openshift-default" + } + } + } + } + + return proxyIngressClassName, nil +} + +func setIngressRules(cr csmv1.ContainerStorageModule) ([]networking.IngressRule, error) { + var rules []networking.IngressRule + hosts, err := getHosts(cr) + if err != nil { + return nil, fmt.Errorf("getting hosts: %v", err) + } + + for _, host := range hosts { + rule := []networking.IngressRule{ + { + Host: host, + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "proxy-server", + Port: networking.ServiceBackendPort{ + Number: 8080, + }, + }, + }, + Path: "/", + PathType: &pathType, + }, + }, + }, + }, + }, + } + + rules = append(rules, rule...) + } + + noHostRule := []networking.IngressRule{ + { + // no host specified, uses cluster node IP address + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "proxy-server", + Port: networking.ServiceBackendPort{ + Number: 8080, + }, + }, + }, + Path: "/", + PathType: &pathType, + }, + }, + }, + }, + }, + } + + rules = append(rules, noHostRule...) + + return rules, nil +} diff --git a/pkg/modules/authorization_test.go b/pkg/modules/authorization_test.go index 99e256741..9f7cc30c7 100644 --- a/pkg/modules/authorization_test.go +++ b/pkg/modules/authorization_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +// Copyright (c) 2022-2024 Dell Inc., or its subsidiaries. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -10,6 +10,7 @@ package modules import ( "context" + "fmt" "testing" csmv1 "github.com/dell/csm-operator/api/v1" @@ -19,12 +20,15 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" + apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" applyv1 "k8s.io/client-go/applyconfigurations/apps/v1" acorev1 "k8s.io/client-go/applyconfigurations/core/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/fake" + "k8s.io/client-go/kubernetes/scheme" + certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" ctrlClient "sigs.k8s.io/controller-runtime/pkg/client" ctrlClientFake "sigs.k8s.io/controller-runtime/pkg/client/fake" ) @@ -310,7 +314,7 @@ func TestAuthorizationPreCheck(t *testing.T) { namespace := customResource.Namespace tmpCR := customResource auth := tmpCR.Spec.Modules[0] - auth.ConfigVersion = "v1.11.0" + auth.ConfigVersion = "v2.0.0-alpha" karaviAuthconfig := getSecret(namespace, "karavi-authorization-config") proxyAuthzTokens := getSecret(namespace, "proxy-authz-tokens") @@ -423,8 +427,8 @@ func TestAuthorizationServerPreCheck(t *testing.T) { type fakeControllerRuntimeClientWrapper func(clusterConfigData []byte) (ctrlClient.Client, error) tests := map[string]func(t *testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper){ - "success": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { - customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + "success v1": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") if err != nil { panic(err) } @@ -434,7 +438,7 @@ func TestAuthorizationServerPreCheck(t *testing.T) { karaviConfig := getSecret(customResource.Namespace, "karavi-config-secret") karaviStorage := getSecret(customResource.Namespace, "karavi-storage-secret") - karaviTLS := getSecret(customResource.Namespace, "karavi-auth-tls") + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviStorage, karaviTLS).Build() @@ -445,6 +449,27 @@ func TestAuthorizationServerPreCheck(t *testing.T) { return true, auth, tmpCR, sourceClient, fakeControllerRuntimeClient }, + "success v2": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + auth := tmpCR.Spec.Modules[0] + + karaviConfig := getSecret(customResource.Namespace, "karavi-config-secret") + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") + + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviTLS).Build() + + fakeControllerRuntimeClient := func(_ []byte) (ctrlClient.Client, error) { + clusterClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviTLS).Build() + return clusterClient, nil + } + + return true, auth, tmpCR, sourceClient, fakeControllerRuntimeClient + }, "success - version provided": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") if err != nil { @@ -453,10 +478,10 @@ func TestAuthorizationServerPreCheck(t *testing.T) { tmpCR := customResource auth := tmpCR.Spec.Modules[0] - auth.ConfigVersion = "v1.11.0" + auth.ConfigVersion = "v2.0.0-alpha" karaviConfig := getSecret(customResource.Namespace, "karavi-config-secret") karaviStorage := getSecret(customResource.Namespace, "karavi-storage-secret") - karaviTLS := getSecret(customResource.Namespace, "karavi-auth-tls") + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviStorage, karaviTLS).Build() fakeControllerRuntimeClient := func(_ []byte) (ctrlClient.Client, error) { @@ -484,23 +509,57 @@ func TestAuthorizationServerPreCheck(t *testing.T) { return false, auth, tmpCR, sourceClient, fakeControllerRuntimeClient }, - "fail - empty proxy host": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { - customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + "fail v1 - karavi-config-secret not found": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") if err != nil { panic(err) } tmpCR := customResource auth := tmpCR.Spec.Modules[0] - for i, env := range auth.Components[0].Envs { - if env.Name == "PROXY_HOST" { - auth.Components[0].Envs[i].Value = "" - } + karaviStorage := getSecret(customResource.Namespace, "karavi-storage-secret") + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviStorage, karaviTLS).Build() + + fakeControllerRuntimeClient := func(_ []byte) (ctrlClient.Client, error) { + clusterClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviStorage, karaviTLS).Build() + return clusterClient, nil } - sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, auth, tmpCR, sourceClient, fakeControllerRuntimeClient + }, + "fail v1 - karavi-storage-secret not found": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + tmpCR := customResource + auth := tmpCR.Spec.Modules[0] + + karaviConfig := getSecret(customResource.Namespace, "karavi-config-secret") + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviTLS).Build() fakeControllerRuntimeClient := func(_ []byte) (ctrlClient.Client, error) { - clusterClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + clusterClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviConfig, karaviTLS).Build() + return clusterClient, nil + } + + return false, auth, tmpCR, sourceClient, fakeControllerRuntimeClient + }, + "fail v2 - karavi-config-secret not found": func(*testing.T) (bool, csmv1.Module, csmv1.ContainerStorageModule, ctrlClient.Client, fakeControllerRuntimeClientWrapper) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + tmpCR := customResource + auth := tmpCR.Spec.Modules[0] + + karaviTLS := getSecret(customResource.Namespace, "karavi-selfsigned-tls") + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviTLS).Build() + + fakeControllerRuntimeClient := func(_ []byte) (ctrlClient.Client, error) { + clusterClient := ctrlClientFake.NewClientBuilder().WithObjects(karaviTLS).Build() return clusterClient, nil } @@ -556,6 +615,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { }, } + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(cm).Build() return true, true, tmpCR, sourceClient, operatorConfig @@ -567,7 +627,31 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, false, tmpCR, sourceClient, operatorConfig + }, + "success - creating with vault client certificates": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_vault_cert.yaml") + if err != nil { + panic(err) + } + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, false, tmpCR, sourceClient, operatorConfig + }, + "success - creating v1": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return true, false, tmpCR, sourceClient, operatorConfig @@ -579,7 +663,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource - + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return true, false, tmpCR, sourceClient, operatorConfig @@ -591,7 +675,43 @@ func TestAuthorizationServerDeployment(t *testing.T) { } tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault ca": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_ca.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault client cert": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_cert.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, false, tmpCR, sourceClient, operatorConfig + }, + "fail - corrupt vault client key": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_bad_vault_key.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() return false, false, tmpCR, sourceClient, operatorConfig @@ -605,6 +725,7 @@ func TestAuthorizationServerDeployment(t *testing.T) { if success { assert.NoError(t, err) } else { + fmt.Println(err) assert.Error(t, err) } }) @@ -612,8 +733,8 @@ func TestAuthorizationServerDeployment(t *testing.T) { } func TestAuthorizationIngress(t *testing.T) { - tests := map[string]func(t *testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig){ - "success - deleting": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + tests := map[string]func(t *testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client){ + "success - deleting": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") if err != nil { panic(err) @@ -641,9 +762,9 @@ func TestAuthorizationIngress(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(i1, i2).Build() - return true, true, tmpCR, sourceClient, operatorConfig + return true, true, tmpCR, sourceClient }, - "success - creating": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + "success - creating": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") if err != nil { panic(err) @@ -680,10 +801,10 @@ func TestAuthorizationIngress(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(dp, pod).Build() - return true, true, tmpCR, sourceClient, operatorConfig + return true, true, tmpCR, sourceClient }, - "success - creating v1.11.0": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { - customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + "success - creating with certs": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_certs.yaml") if err != nil { panic(err) } @@ -719,9 +840,59 @@ func TestAuthorizationIngress(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(dp, pod).Build() - return true, true, tmpCR, sourceClient, operatorConfig + return true, true, tmpCR, sourceClient }, - "success - creating v1.9.0": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + "success - creating with openshift and other annotations": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_openshift.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, true, tmpCR, sourceClient + }, + "success - creating v1.10.0": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + namespace := customResource.Namespace + name := namespace + "-ingress-nginx-controller" + + dp := &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app.kubernetes.io/name": "ingress-nginx"}, + }, + }, + } + + pod := &corev1.Pod{ + TypeMeta: metav1.TypeMeta{ + Kind: "Pod", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + } + + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(dp, pod).Build() + + return true, true, tmpCR, sourceClient + }, + "success - creating v1.9.0": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { customResource, err := getCustomResource("./testdata/cr_auth_proxy_v190.yaml") if err != nil { panic(err) @@ -758,9 +929,9 @@ func TestAuthorizationIngress(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(dp, pod).Build() - return true, true, tmpCR, sourceClient, operatorConfig + return true, true, tmpCR, sourceClient }, - "fail - wrong module name": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + "fail - wrong module name": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client) { customResource, err := getCustomResource("./testdata/cr_powerscale_replica.yaml") if err != nil { panic(err) @@ -770,17 +941,17 @@ func TestAuthorizationIngress(t *testing.T) { sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() - return false, false, tmpCR, sourceClient, operatorConfig + return false, false, tmpCR, sourceClient }, } for name, tc := range tests { t.Run(name, func(t *testing.T) { - success, isDeleting, cr, sourceClient, op := tc(t) + success, isDeleting, cr, sourceClient := tc(t) fakeReconcile := utils.FakeReconcileCSM{ Client: sourceClient, K8sClient: fake.NewSimpleClientset(), } - err := AuthorizationIngress(context.TODO(), isDeleting, op, cr, &fakeReconcile, sourceClient) + err := AuthorizationIngress(context.TODO(), isDeleting, true, cr, &fakeReconcile, sourceClient) if success { assert.NoError(t, err) } else { @@ -913,3 +1084,153 @@ func TestNginxIngressController(t *testing.T) { }) } } + +func TestAuthorizationCertificates(t *testing.T) { + tests := map[string]func(t *testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig){ + "success - using self-signed certificate": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, true, tmpCR, sourceClient, operatorConfig + }, + "success - using custom tls secret": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_certs.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return true, false, tmpCR, sourceClient, operatorConfig + }, + + "fail - using partial custom cert": func(*testing.T) (bool, bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_certs_missing_key.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + certmanagerv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, false, tmpCR, sourceClient, operatorConfig + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + success, isDeleting, cr, sourceClient, op := tc(t) + + err := InstallWithCerts(context.TODO(), isDeleting, op, cr, sourceClient) + if success { + assert.NoError(t, err) + } else { + assert.Error(t, err) + } + }) + } +} + +func TestAuthorizationCrdDeploy(t *testing.T) { + tests := map[string]func(t *testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig){ + "success - deleting": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + + cr := &apiextv1.CustomResourceDefinition{ + TypeMeta: metav1.TypeMeta{ + Kind: "CustomResourceDefinition", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "csmroles.csm-authorization.storage.dell.com", + }, + } + apiextv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects(cr).Build() + return true, tmpCR, sourceClient, operatorConfig + }, + "success - creating": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + + apiextv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return true, tmpCR, sourceClient, operatorConfig + }, + "success - creating v1": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy_v1100.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + + apiextv1.AddToScheme(scheme.Scheme) + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + return true, tmpCR, sourceClient, operatorConfig + }, + "fail - auth deployment file bad yaml": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + badOperatorConfig.ConfigDirectory = "./testdata/badYaml" + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, tmpCR, sourceClient, badOperatorConfig + }, + "fail - auth config file not found": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_auth_proxy.yaml") + if err != nil { + panic(err) + } + + tmpCR := customResource + badOperatorConfig.ConfigDirectory = "invalid-dir" + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + + return false, tmpCR, sourceClient, badOperatorConfig + }, + "fail - auth module not found": func(*testing.T) (bool, csmv1.ContainerStorageModule, ctrlClient.Client, utils.OperatorConfig) { + customResource, err := getCustomResource("./testdata/cr_application_mobility.yaml") + if err != nil { + panic(err) + } + + sourceClient := ctrlClientFake.NewClientBuilder().WithObjects().Build() + tmpCR := customResource + + return false, tmpCR, sourceClient, operatorConfig + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + success, cr, sourceClient, op := tc(t) + + err := AuthCrdDeploy(ctx, op, cr, sourceClient) + if success { + assert.NoError(t, err) + } else { + assert.Error(t, err) + } + }) + } +} diff --git a/pkg/modules/commonconfig.go b/pkg/modules/commonconfig.go index 000a325fa..c0b371c54 100644 --- a/pkg/modules/commonconfig.go +++ b/pkg/modules/commonconfig.go @@ -75,6 +75,11 @@ func readConfigFile(module csmv1.Module, cr csmv1.ContainerStorageModule, op uti } } + if module.Name == csmv1.AuthorizationServer { + configPath := fmt.Sprintf("%s/moduleconfig/%s/%s/%s", op.ConfigDirectory, csmv1.Authorization, moduleConfigVersion, filename) + return os.ReadFile(filepath.Clean(configPath)) + } + configMapPath := fmt.Sprintf("%s/moduleconfig/%s/%s/%s", op.ConfigDirectory, module.Name, moduleConfigVersion, filename) return os.ReadFile(filepath.Clean(configMapPath)) } diff --git a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/cert-manager.yaml b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/cert-manager.yaml index 830785ba4..c04a8bea6 100644 --- a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/cert-manager.yaml +++ b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/cert-manager.yaml @@ -1,4 +1,4 @@ this snfoiasga - is +is - 843*&(*(% invalid YAml \ No newline at end of file +843*&(*(% invalid YAml diff --git a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-backupstoragelocation.yaml b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-backupstoragelocation.yaml index 352b19d11..6f9e18f9f 100644 --- a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-backupstoragelocation.yaml +++ b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-backupstoragelocation.yaml @@ -1,4 +1,4 @@ this snfoiasga - is +is - 843*&(*(% invalid YAml \ No newline at end of file +843*&(*(% invalid YAml diff --git a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-deployment.yaml b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-deployment.yaml index 830785ba4..c04a8bea6 100644 --- a/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-deployment.yaml +++ b/pkg/modules/testdata/badYaml/moduleconfig/application-mobility/v0.3.0/velero-deployment.yaml @@ -1,4 +1,4 @@ this snfoiasga - is +is - 843*&(*(% invalid YAml \ No newline at end of file +843*&(*(% invalid YAml diff --git a/pkg/modules/testdata/cr_application_mobility.yaml b/pkg/modules/testdata/cr_application_mobility.yaml index 777dcbd52..dd2d69bb5 100644 --- a/pkg/modules/testdata/cr_application_mobility.yaml +++ b/pkg/modules/testdata/cr_application_mobility.yaml @@ -12,88 +12,87 @@ spec: configVersion: v1.1.0 forceRemoveModule: true components: - - name: application-mobility-controller-manager - # enable: Enable/Disable application mobility controller-manager - enabled: true - image: dellemc/csm-application-mobility-controller:v1.1.0 - imagePullPolicy: IfNotPresent - envs: - # Replica count for application mobility - # Allowed values: string - # Default value: 1 - - name: "APPLICATION_MOBILITY_REPLICA_COUNT" - value: "1" + - name: application-mobility-controller-manager + # enable: Enable/Disable application mobility controller-manager + enabled: true + image: dellemc/csm-application-mobility-controller:v1.1.0 + imagePullPolicy: IfNotPresent + envs: + # Replica count for application mobility + # Allowed values: string + # Default value: 1 + - name: "APPLICATION_MOBILITY_REPLICA_COUNT" + value: "1" - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: false - - name: cert-manager - enabled: true - # enabled: Enable/Disable Velero - - name: velero - image: velero/velero:v1.10.0 - imagePullPolicy: IfNotPresent - enabled: true - useVolumeSnapshot: true - # enabled: Enable/Disable node-agent service - deployNodeAgent: true - envs: - # Backup storage location name - # Allowed values: string - # Default value: default - - name: "BACKUPSTORAGELOCATION_NAME" - value: "default" - - # Velero bucket name - # Allowed values: string - # Default value: my-bucket - - name: "BUCKET_NAME" - value: "my-bucket" + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: false + - name: cert-manager + enabled: true + # enabled: Enable/Disable Velero + - name: velero + image: velero/velero:v1.10.0 + imagePullPolicy: IfNotPresent + enabled: true + useVolumeSnapshot: true + # enabled: Enable/Disable node-agent service + deployNodeAgent: true + envs: + # Backup storage location name + # Allowed values: string + # Default value: default + - name: "BACKUPSTORAGELOCATION_NAME" + value: "default" - # Based on the objectstore being used, the velero plugin and its configuration may need to change! - # default value: aws - - name: "CONFIGURATION_PROVIDER" - value: "aws" + # Velero bucket name + # Allowed values: string + # Default value: my-bucket + - name: "BUCKET_NAME" + value: "my-bucket" - # Name of the volume snapshot location where snapshots are being taken. Required. - # Volume-snapshot-Location Provider will be same as CONFIGURATION_PROVIDER - # Default value : default - - name: "VOL_SNAPSHOT_LOCATION_NAME" - value: "default" - - # Name of the backup storage url - # This field has to be changed to a functional backup storage url - # Default value: localhost:8000 - - name: "BACKUP_STORAGE_URL" - value: "localhost:8000" + # Based on the objectstore being used, the velero plugin and its configuration may need to change! + # default value: aws + - name: "CONFIGURATION_PROVIDER" + value: "aws" - # Name of the secret in velero namespace that has credentials to access object store - # We can leave the field empty if there no existing secret in velero installed namespace - # Default value: existing-cred - - name: "APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME" - value: "existing-cred" + # Name of the volume snapshot location where snapshots are being taken. Required. + # Volume-snapshot-Location Provider will be same as CONFIGURATION_PROVIDER + # Default value : default + - name: "VOL_SNAPSHOT_LOCATION_NAME" + value: "default" - #If velero is not already present in cluster, set createWithInstall to true to create a secret. - #Either this or APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME above must be provided. - credentials: - - createWithInstall: true - #Specify the name to be used for secret that will be created to hold object store credentials. - name: cloud-creds - #Specify the object store access credentials to be stored in a secret with key "cloud". - secretContents: - aws_access_key_id: #Provide the access key id here - aws_secret_access_key: #provide the access key here - + # Name of the backup storage url + # This field has to be changed to a functional backup storage url + # Default value: localhost:8000 + - name: "BACKUP_STORAGE_URL" + value: "localhost:8000" + + # Name of the secret in velero namespace that has credentials to access object store + # We can leave the field empty if there no existing secret in velero installed namespace + # Default value: existing-cred + - name: "APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME" + value: "existing-cred" + + # If velero is not already present in cluster, set createWithInstall to true to create a secret. + # Either this or APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME above must be provided. + credentials: + - createWithInstall: true + # Specify the name to be used for secret that will be created to hold object store credentials. + name: cloud-creds + # Specify the object store access credentials to be stored in a secret with key "cloud". + secretContents: + aws_access_key_id: # Provide the access key id here + aws_secret_access_key: # provide the access key here # Init containers to be added to the Velero deployment's pod spec. # If the value is a string then it is evaluated as a template. - initContainer: - #initContainer image for the dell velero plugin - - name: dell-custom-velero-plugin - image: dellemc/csm-application-mobility-velero-plugin:latest + # initContainer image for the dell velero plugin + - name: dell-custom-velero-plugin + image: dellemc/csm-application-mobility-velero-plugin:latest - #initContainer image for the configuration provider aws - - name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.5.0 + # initContainer image for the configuration provider aws + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.5.0 diff --git a/pkg/modules/testdata/cr_application_mobility_custom_region.yaml b/pkg/modules/testdata/cr_application_mobility_custom_region.yaml index 8e7abc412..df3e43d19 100644 --- a/pkg/modules/testdata/cr_application_mobility_custom_region.yaml +++ b/pkg/modules/testdata/cr_application_mobility_custom_region.yaml @@ -12,92 +12,91 @@ spec: configVersion: v1.1.0 forceRemoveModule: true components: - - name: application-mobility-controller-manager - # enable: Enable/Disable application mobility controller-manager - enabled: true - image: dellemc/csm-application-mobility-controller:v1.1.0 - imagePullPolicy: IfNotPresent - envs: - # Replica count for application mobility - # Allowed values: string - # Default value: 1 - - name: "APPLICATION_MOBILITY_REPLICA_COUNT" - value: "1" + - name: application-mobility-controller-manager + # enable: Enable/Disable application mobility controller-manager + enabled: true + image: dellemc/csm-application-mobility-controller:v1.1.0 + imagePullPolicy: IfNotPresent + envs: + # Replica count for application mobility + # Allowed values: string + # Default value: 1 + - name: "APPLICATION_MOBILITY_REPLICA_COUNT" + value: "1" - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: false - - name: cert-manager - enabled: true - # enabled: Enable/Disable Velero - - name: velero - image: velero/velero:v1.10.0 - imagePullPolicy: IfNotPresent - enabled: true - useVolumeSnapshot: true - # enabled: Enable/Disable node-agent service - deployNodeAgent: true - envs: - # Backup storage location name - # Allowed values: string - # Default value: default - - name: "BACKUPSTORAGELOCATION_NAME" - value: "my-new-location" - - # Velero bucket name - # Allowed values: string - # Default value: my-bucket - - name: "BUCKET_NAME" - value: "my-bucket" - - # Region where the bucket is located - - name: "BACKUP_REGION_URL" - value: "custom" + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: false + - name: cert-manager + enabled: true + # enabled: Enable/Disable Velero + - name: velero + image: velero/velero:v1.10.0 + imagePullPolicy: IfNotPresent + enabled: true + useVolumeSnapshot: true + # enabled: Enable/Disable node-agent service + deployNodeAgent: true + envs: + # Backup storage location name + # Allowed values: string + # Default value: default + - name: "BACKUPSTORAGELOCATION_NAME" + value: "my-new-location" - # Based on the objectstore being used, the velero plugin and its configuration may need to change! - # default value: aws - - name: "CONFIGURATION_PROVIDER" - value: "aws" + # Velero bucket name + # Allowed values: string + # Default value: my-bucket + - name: "BUCKET_NAME" + value: "my-bucket" - # Name of the volume snapshot location where snapshots are being taken. Required. - # Volume-snapshot-Location Provider will be same as CONFIGURATION_PROVIDER - # Default value : default - - name: "VOL_SNAPSHOT_LOCATION_NAME" - value: "my-new-location" - - # Name of the backup storage url - # This field has to be changed to a functional backup storage url - # Default value: localhost:8000 - - name: "BACKUP_STORAGE_URL" - value: "localhost:8000" + # Region where the bucket is located + - name: "BACKUP_REGION_URL" + value: "custom" - # Name of the secret in velero namespace that has credentials to access object store - # We can leave the field empty if there no existing secret in velero installed namespace - # Default value: existing-cred - - name: "APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME" - value: "existing-cred" + # Based on the objectstore being used, the velero plugin and its configuration may need to change! + # default value: aws + - name: "CONFIGURATION_PROVIDER" + value: "aws" - #If velero is not already present in cluster, set createWithInstall to true to create a secret. - #Either this or APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME above must be provided. - credentials: - - createWithInstall: true - #Specify the name to be used for secret that will be created to hold object store credentials. - name: cloud-creds - #Specify the object store access credentials to be stored in a secret with key "cloud". - secretContents: - aws_access_key_id: #Provide the access key id here - aws_secret_access_key: #provide the access key here - + # Name of the volume snapshot location where snapshots are being taken. Required. + # Volume-snapshot-Location Provider will be same as CONFIGURATION_PROVIDER + # Default value : default + - name: "VOL_SNAPSHOT_LOCATION_NAME" + value: "my-new-location" + + # Name of the backup storage url + # This field has to be changed to a functional backup storage url + # Default value: localhost:8000 + - name: "BACKUP_STORAGE_URL" + value: "localhost:8000" + + # Name of the secret in velero namespace that has credentials to access object store + # We can leave the field empty if there no existing secret in velero installed namespace + # Default value: existing-cred + - name: "APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME" + value: "existing-cred" + + # If velero is not already present in cluster, set createWithInstall to true to create a secret. + # Either this or APPLICATION_MOBILITY_OBJECT_STORE_SECRET_NAME above must be provided. + credentials: + - createWithInstall: true + # Specify the name to be used for secret that will be created to hold object store credentials. + name: cloud-creds + # Specify the object store access credentials to be stored in a secret with key "cloud". + secretContents: + aws_access_key_id: # Provide the access key id here + aws_secret_access_key: # provide the access key here # Init containers to be added to the Velero deployment's pod spec. # If the value is a string then it is evaluated as a template. - initContainer: - #initContainer image for the dell velero plugin - - name: dell-custom-velero-plugin - image: dellemc/csm-application-mobility-velero-plugin:latest + # initContainer image for the dell velero plugin + - name: dell-custom-velero-plugin + image: dellemc/csm-application-mobility-velero-plugin:latest - #initContainer image for the configuration provider aws - - name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.5.0 + # initContainer image for the configuration provider aws + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.5.0 diff --git a/pkg/modules/testdata/cr_auth_proxy.yaml b/pkg/modules/testdata/cr_auth_proxy.yaml index ffd09052c..6495f0604 100644 --- a/pkg/modules/testdata/cr_auth_proxy.yaml +++ b/pkg/modules/testdata/cr_auth_proxy.yaml @@ -9,57 +9,96 @@ spec: - name: authorization-proxy-server # enable: Enable/Disable csm-authorization enabled: true - configVersion: v1.11.0 + configVersion: v2.0.0-alpha forceRemoveModule: true + components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.11.0 - tenantService: dellemc/csm-authorization-tenant:v1.11.0 - roleService: dellemc/csm-authorization-role:v1.11.0 - storageService: dellemc/csm-authorization-storage:v1.11.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + certificate: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 @@ -71,3 +110,4 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml new file mode 100644 index 000000000..de70e8b9c --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_ca.yaml @@ -0,0 +1,112 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "XXXXXaGVsbG8=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml new file mode 100644 index 000000000..ea69ca46f --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_cert.yaml @@ -0,0 +1,112 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "XXXXXaGVsbG8=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml b/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml new file mode 100644 index 000000000..ca76349d4 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_bad_vault_key.yaml @@ -0,0 +1,112 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "XXXXXaGVsbG8=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_certs.yaml b/pkg/modules/testdata/cr_auth_proxy_certs.yaml new file mode 100644 index 000000000..8c483b11d --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_certs.yaml @@ -0,0 +1,91 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCVENDQXUyZ0F3SUJBZ0lVVThsYncza09ITk5QSXppRitJb3NUT3pSZVZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2daRXhDekFKQmdOVkJBWVRBbFZUTVJFd0R3WURWUVFJREFoT1pYY2dXVzl5YXpFUk1BOEdBMVVFQnd3SQpUbVYzSUZsdmNtc3hEVEFMQmdOVkJBb01CRVJsYkd3eEREQUtCZ05WQkFzTUEwbFRSekVZTUJZR0ExVUVBd3dQClNtOXZjMlZ3Y0drSUNBZ0lDQWdJTVNVd0l3WUpLb1pJaHZjTkFRa0JGaFpxYjI5elpYQndhVjlzZFc1aFFHUmwKYkd3dVkyOXRNQjRYRFRJME1ESXlNVEU0TWpRME1sb1hEVEkwTURVeU1URTRNalEwTWxvd2daRXhDekFKQmdOVgpCQVlUQWxWVE1SRXdEd1lEVlFRSURBaE9aWGNnV1c5eWF6RVJNQThHQTFVRUJ3d0lUbVYzSUZsdmNtc3hEVEFMCkJnTlZCQW9NQkVSbGJHd3hEREFLQmdOVkJBc01BMGxUUnpFWU1CWUdBMVVFQXd3UFNtOXZjMlZ3Y0drSUNBZ0kKQ0FnSU1TVXdJd1lKS29aSWh2Y05BUWtCRmhacWIyOXpaWEJ3YVY5c2RXNWhRR1JsYkd3dVkyOXRNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5SXhkZ04wNDdnZk41T0h3SHFhMjlHNWd3dDkzCmVidnEwZVdnZE5RWXUvUU91YktoQ3JWYUN6QXBzTGhRcnlhOEM4OWtTM3VmRHNLM3o3aHJIRXhnblc4ZzdGL1cKTjVpaXYzcU9GcDk2ZVc4VFR5UHJhVktKV3psay9xSWhWdkhGVGxTbk5jcmJTZW45RkhxZmR4RnA3ejNVSXdtVQprZk8vTTQ1RHkrcDU2cmdqOW4vSTYvVmtpMWVxalBIN1dZTnZJQXJNa0pvZTBhSFlVSTdqa3dEZ1N6ZE1jMnM3ClI5NWxQTFY1MDgxdFNCWTJtNno0VGt1dktQdG1RZ1pML3JKL2lHUTBLVTkyYmRFUC9USDVSeEkyRHZ2U3BQSzUKUkhzTEhPVDdUZWV5NGJXU1VQemJTRzBRQUE0b1JyNTV2M1VYbmlmMExwNEQ0OU5xcHRSK0VzZkx2d0lEQVFBQgpvMU13VVRBZEJnTlZIUTRFRmdRVVlZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dId1lEVlIwakJCZ3dGb0FVCllZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBS2dWUjRvQjhlb0hNWTZ2Tm9WUERJd29NU3d2eGUyWnVDN0N0bkRvRUJjUzlrQU12TURqRwpzeFN2b0o2TXlXckpNaUt4aDJmekdGcS9FVWxDcHdKUEwvNTlTYmR3cG54UUxGWjdyZkVjMS9WQ3dOUHcxM0pEClBnZmsvZnd6QVNEcS9mWm5pTmVldHpCa2dQdEdMWDFsU051OHFNSUZHczR0QlpZZS8xNnJ4VFFpMzRsUk56QVUKMlA2YTM3YjhWVU9yRUNhTTlOdUFaY3FWSjRiODhvNXBQSkRldm5Hb3JPOHRMQWhvT3kyclB5QnJKaVhNQ0ZKMAo4TzVQS1NrSlJyQ2x1enBPeEtxUURONTlmVDdYNEp6VzI3MVhqQlIzWVdJTUdha08rSnRUdEwyUDNBWXdtd2E1CnNibUV0UU5rSjNraDhneVNVL2p4WnQrVWVUVWRJYWxDV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeUl4ZGdOMDQ3Z2ZONU9Id0hxYTI5RzVnd3Q5M2VidnEwZVdnZE5RWXUvUU91YktoCkNyVmFDekFwc0xoUXJ5YThDODlrUzN1ZkRzSzN6N2hySEV4Z25XOGc3Ri9XTjVpaXYzcU9GcDk2ZVc4VFR5UHIKYVZLSld6bGsvcUloVnZIRlRsU25OY3JiU2VuOUZIcWZkeEZwN3ozVUl3bVVrZk8vTTQ1RHkrcDU2cmdqOW4vSQo2L1ZraTFlcWpQSDdXWU52SUFyTWtKb2UwYUhZVUk3amt3RGdTemRNYzJzN1I5NWxQTFY1MDgxdFNCWTJtNno0ClRrdXZLUHRtUWdaTC9ySi9pR1EwS1U5MmJkRVAvVEg1UnhJMkR2dlNwUEs1UkhzTEhPVDdUZWV5NGJXU1VQemIKU0cwUUFBNG9ScjU1djNVWG5pZjBMcDRENDlOcXB0UitFc2ZMdndJREFRQUJBb0lCQUUva2V5dG05ZEw5a094cApoYnJ3TjFwUXpvTlRlc2tvTDNmR3ZwRk1IVDVqRDZxeW1xMGxhZVdqSGppa2RLQVNFait5TXdaUERTSllOOW1zClloODMzaFZadkFmdWRleFlCaDI1dVBrU056eEJIN1FiWHlEcUhJWVc2MEQxWGNyQkxoVHliRnBsb2M1a1JNbnYKdjY4elpMeEdLVWg3L0kvWVJvZEhXWUxXdWhMaTYvVGpKMGNJbWlOVWxMeWhXNHJrUXRveUZmelYvWkZpZGYvWApSYjQwRHRCRk1QbytVdFRBbnJuTlF3UDN2cEF5U09OV2U3MW45dS9XdFlwYzVNeDJGaGZFbm5PcTlZcVNEMVNQCm5hUC9OUndOQ2xOY1BleWZaSU84SytWT3MvbFpBOGErMXREWTZzOFVOTHBvcm42YkRWdEsweU4rTU9YK1FLaXEKTG9KeDZtRUNnWUVBNlU3ZU96OEcybG9wd245ald6YXBobG5TU2RFTHZobS95cllNMy9TN2puTkRYNkd3TkRlKwpFQTFINUs1UDRLNnlleFMvZEllaWo4bDhiRytVb0V3Rm9pOVIxaTdGR21DL1p6WTRpa2IyQXI0MU8yV29kVk9UCkRjNnBjdmlkWnp5ZjJWaGlTMFNLZ3ZodDdzSTlQcjFyZWlyNW9TYXBuUC9hUFhCTkl3dDh3V01DZ1lFQTNBM1AKODNrOUlPdjNNUWhiL1JiUDVBRWZYaW85U0hJNW1oekFLankxY2M1WDdadjI2SmpIc21RNGQrb0s0UjljMGFIWApETDFBRlYrWTkyRTU4ZVE1SXJhQ3JTQVAwYk45bENqLzdEMDFrT2ZnTis5QXJzVy8yc0tFcFRtZENtc3ZGb1JuClNOUzBNYmpDdmQxOEtYdWNFYmdoZzZTcjZwaGN2QWVoaGtpcjZQVUNnWUVBcFl0bXVKZENINUUyYkdIRGVDZFQKSnBkNVZSTlZ4Nit4blA2TUtDVVpLRHkxSTVndzFQeHdpaWRDU2dzOWRtbS9Ed0pyengybXhXdnNNMjBCQXJTdQprcVFNNTNNTVBHbEZwdENjVWRHRUlmSWhCMkpjbzlPSFZwYTdPVzhiRVBPOVlKVU1PZWdLZUdBYWNQMjJRMXhZCmRMa2xvNmt4Vk10ZWFaWFR4ZmdTcjQwQ2dZRUF3K2lnSEZqeHJSK213TVo2YndZaUt4RTh4ZTdCQklCOCs5RmcKMjdtVXFDOVdaTG9YeGRoTzRXa01ST1hlcmJIb1J0SFl6UVNueXQrREphb3Zsa1RqQVI2UGxHWVk3MDduSEVLcwpKYndRdG1OWllUTGwyVE5BclJmRVUvekk3UCtqdWw1Q1BicndlZHZOdEk4OC9RbUpWdFVoTVR3bnVnSFBmYThsCmhKR3FTd2tDZ1lFQW1UKzJQY1VIdVZuYXU1ZjVYMXZPaVI1aGtyNEZYUFhwZVVRZDVyMFZZazBsb01Yc3FQVGsKc0lZN0lmSUlRZ01xbFNnUVhMeVBpbjJPWEN1ZnBKTlVDRlJRamtMV2ZCZW1QbEh6N2hjNURvVHJEU1doOUtETApNak9HL3d4ckRwZGlvRnZmcVA3bldIeGk3UzAxNXpHNHhtbkg2WUZ1TThuaHpyU3NSQzhzV20wPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml b/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml new file mode 100644 index 000000000..09e034b23 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_certs_missing_key.yaml @@ -0,0 +1,91 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVCVENDQXUyZ0F3SUJBZ0lVVThsYncza09ITk5QSXppRitJb3NUT3pSZVZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2daRXhDekFKQmdOVkJBWVRBbFZUTVJFd0R3WURWUVFJREFoT1pYY2dXVzl5YXpFUk1BOEdBMVVFQnd3SQpUbVYzSUZsdmNtc3hEVEFMQmdOVkJBb01CRVJsYkd3eEREQUtCZ05WQkFzTUEwbFRSekVZTUJZR0ExVUVBd3dQClNtOXZjMlZ3Y0drSUNBZ0lDQWdJTVNVd0l3WUpLb1pJaHZjTkFRa0JGaFpxYjI5elpYQndhVjlzZFc1aFFHUmwKYkd3dVkyOXRNQjRYRFRJME1ESXlNVEU0TWpRME1sb1hEVEkwTURVeU1URTRNalEwTWxvd2daRXhDekFKQmdOVgpCQVlUQWxWVE1SRXdEd1lEVlFRSURBaE9aWGNnV1c5eWF6RVJNQThHQTFVRUJ3d0lUbVYzSUZsdmNtc3hEVEFMCkJnTlZCQW9NQkVSbGJHd3hEREFLQmdOVkJBc01BMGxUUnpFWU1CWUdBMVVFQXd3UFNtOXZjMlZ3Y0drSUNBZ0kKQ0FnSU1TVXdJd1lKS29aSWh2Y05BUWtCRmhacWIyOXpaWEJ3YVY5c2RXNWhRR1JsYkd3dVkyOXRNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5SXhkZ04wNDdnZk41T0h3SHFhMjlHNWd3dDkzCmVidnEwZVdnZE5RWXUvUU91YktoQ3JWYUN6QXBzTGhRcnlhOEM4OWtTM3VmRHNLM3o3aHJIRXhnblc4ZzdGL1cKTjVpaXYzcU9GcDk2ZVc4VFR5UHJhVktKV3psay9xSWhWdkhGVGxTbk5jcmJTZW45RkhxZmR4RnA3ejNVSXdtVQprZk8vTTQ1RHkrcDU2cmdqOW4vSTYvVmtpMWVxalBIN1dZTnZJQXJNa0pvZTBhSFlVSTdqa3dEZ1N6ZE1jMnM3ClI5NWxQTFY1MDgxdFNCWTJtNno0VGt1dktQdG1RZ1pML3JKL2lHUTBLVTkyYmRFUC9USDVSeEkyRHZ2U3BQSzUKUkhzTEhPVDdUZWV5NGJXU1VQemJTRzBRQUE0b1JyNTV2M1VYbmlmMExwNEQ0OU5xcHRSK0VzZkx2d0lEQVFBQgpvMU13VVRBZEJnTlZIUTRFRmdRVVlZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dId1lEVlIwakJCZ3dGb0FVCllZakFuMmdHQXVDalB3NVZINVI3amNsWElwd3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBS2dWUjRvQjhlb0hNWTZ2Tm9WUERJd29NU3d2eGUyWnVDN0N0bkRvRUJjUzlrQU12TURqRwpzeFN2b0o2TXlXckpNaUt4aDJmekdGcS9FVWxDcHdKUEwvNTlTYmR3cG54UUxGWjdyZkVjMS9WQ3dOUHcxM0pEClBnZmsvZnd6QVNEcS9mWm5pTmVldHpCa2dQdEdMWDFsU051OHFNSUZHczR0QlpZZS8xNnJ4VFFpMzRsUk56QVUKMlA2YTM3YjhWVU9yRUNhTTlOdUFaY3FWSjRiODhvNXBQSkRldm5Hb3JPOHRMQWhvT3kyclB5QnJKaVhNQ0ZKMAo4TzVQS1NrSlJyQ2x1enBPeEtxUURONTlmVDdYNEp6VzI3MVhqQlIzWVdJTUdha08rSnRUdEwyUDNBWXdtd2E1CnNibUV0UU5rSjNraDhneVNVL2p4WnQrVWVUVWRJYWxDV0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml index 74a5d8a1e..d637495fb 100644 --- a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml @@ -9,59 +9,84 @@ spec: - name: authorization-proxy-server # enable: Enable/Disable csm-authorization enabled: true - configVersion: v1.11.0 + configVersion: v2.0.0-alpha forceRemoveModule: true + components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.11.0 - tenantService: dellemc/csm-authorization-tenant:v1.11.0 - roleService: dellemc/csm-authorization-role:v1.11.0 - storageService: dellemc/csm-authorization-storage:v1.11.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + certificate: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + storageclass: "" - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret --- apiVersion: v1 @@ -73,3 +98,4 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/pkg/modules/testdata/cr_auth_proxy_openshift.yaml b/pkg/modules/testdata/cr_auth_proxy_openshift.yaml new file mode 100644 index 000000000..bb64fcc8b --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_openshift.yaml @@ -0,0 +1,113 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: + "label": "value" + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_v1100.yaml b/pkg/modules/testdata/cr_auth_proxy_v1100.yaml new file mode 100644 index 000000000..16263a6d1 --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_v1100.yaml @@ -0,0 +1,87 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v1.10.0 + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.10.0 + tenantService: dellemc/csm-authorization-tenant:v1.10.0 + roleService: dellemc/csm-authorization-role:v1.10.0 + storageService: dellemc/csm-authorization-storage:v1.10.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_v180.yaml b/pkg/modules/testdata/cr_auth_proxy_v180.yaml deleted file mode 100644 index 96f0c08b4..000000000 --- a/pkg/modules/testdata/cr_auth_proxy_v180.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: storage.dell.com/v1 -kind: ContainerStorageModule -metadata: - name: authorization - namespace: authorization -spec: - modules: - # Authorization: enable csm-authorization proxy server for RBAC - - name: authorization-proxy-server - # enable: Enable/Disable csm-authorization - enabled: true - configVersion: v1.8.0 - forceRemoveModule: true - components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.8.0 - tenantService: dellemc/csm-authorization-tenant:v1.8.0 - roleService: dellemc/csm-authorization-role:v1.8.0 - storageService: dellemc/csm-authorization-storage:v1.8.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" - - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" - - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true - - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: csm-config-params - namespace: authorization -data: - csm-config-params.yaml: | - CONCURRENT_POWERFLEX_REQUESTS: 10 - LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_auth_proxy_v190.yaml b/pkg/modules/testdata/cr_auth_proxy_v190.yaml index 9cb30a7f3..653e59841 100644 --- a/pkg/modules/testdata/cr_auth_proxy_v190.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_v190.yaml @@ -12,54 +12,67 @@ spec: configVersion: v1.9.0 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.9.0 - tenantService: dellemc/csm-authorization-tenant:v1.9.0 - roleService: dellemc/csm-authorization-role:v1.9.0 - storageService: dellemc/csm-authorization-storage:v1.9.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.9.0 + tenantService: dellemc/csm-authorization-tenant:v1.9.0 + roleService: dellemc/csm-authorization-role:v1.9.0 + storageService: dellemc/csm-authorization-storage:v1.9.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + privateKey: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" --- apiVersion: v1 diff --git a/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml b/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml new file mode 100644 index 000000000..a4948e91f --- /dev/null +++ b/pkg/modules/testdata/cr_auth_proxy_vault_cert.yaml @@ -0,0 +1,112 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmR1bW15Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug diff --git a/pkg/modules/testdata/cr_powerflex_observability.yaml b/pkg/modules/testdata/cr_powerflex_observability.yaml index e44d29899..7999dfc5c 100644 --- a/pkg/modules/testdata/cr_powerflex_observability.yaml +++ b/pkg/modules/testdata/cr_powerflex_observability.yaml @@ -42,7 +42,7 @@ spec: - name: HOST_PID value: "1" - name: MDM - value: "10.x.x.x,10.x.x.x" #provide MDM value + value: "10.x.x.x,10.x.x.x" # provide MDM value # health monitor is disabled by default, refer to driver documentation before enabling it # Also set the env variable controller.envs.X_CSI_HEALTH_MONITOR_ENABLED to "true". - name: csi-external-health-monitor-controller @@ -58,7 +58,7 @@ spec: # Default value: false - name: X_CSI_HEALTH_MONITOR_ENABLED value: "false" - #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment + # "controller.nodeSelector" defines what nodes would be selected for pods of controller deployment # Leave as blank to use all nodes # Allowed values: map of key-value pairs # Default value: None @@ -121,7 +121,7 @@ spec: name: sdc envs: - name: MDM - value: "10.x.x.x,10.x.x.x" #provide MDM value + value: "10.x.x.x,10.x.x.x" # provide MDM value modules: # observability: allows to configure observability - name: observability diff --git a/pkg/modules/testdata/cr_powerflex_observability_custom_cert.yaml b/pkg/modules/testdata/cr_powerflex_observability_custom_cert.yaml index 64be4394d..0a6b9bb1a 100644 --- a/pkg/modules/testdata/cr_powerflex_observability_custom_cert.yaml +++ b/pkg/modules/testdata/cr_powerflex_observability_custom_cert.yaml @@ -52,7 +52,7 @@ spec: - name: HOST_PID value: "1" - name: MDM - value: "10.xx.xx.xx,10.xx.xx.xx" #do not add mdm value here if it is present in secret + value: "10.xx.xx.xx,10.xx.xx.xx" # do not add mdm value here if it is present in secret # health monitor is disabled by default, refer to driver documentation before enabling it # Also set the env variable controller.envs.X_CSI_HEALTH_MONITOR_ENABLED to "true". - name: csi-external-health-monitor-controller @@ -61,7 +61,7 @@ spec: # Uncomment the following to configure how often external-provisioner polls the driver to detect changed capacity # Configure when the storageCapacity is set as "true" # Allowed values: 1m,2m,3m,...,10m,...,60m etc. Default value: 5m - #- name: provisioner + # - name: provisioner # args: ["--capacity-poll-interval=5m"] controller: @@ -79,7 +79,7 @@ spec: # Default Value: None - name: X_CSI_POWERFLEX_EXTERNAL_ACCESS value: - #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment + # "controller.nodeSelector" defines what nodes would be selected for pods of controller deployment # Leave as blank to use all nodes # Allowed values: map of key-value pairs # Default value: None @@ -165,7 +165,7 @@ spec: name: sdc envs: - name: MDM - value: "10.xx.xx.xx,10.xx.xx.xx" #provide MDM value + value: "10.xx.xx.xx,10.xx.xx.xx" # provide MDM value modules: # observability: allows to configure observability - name: observability diff --git a/pkg/modules/testdata/cr_powerflex_observability_custom_cert_missing_key.yaml b/pkg/modules/testdata/cr_powerflex_observability_custom_cert_missing_key.yaml index 66c19d859..4d3b986b6 100644 --- a/pkg/modules/testdata/cr_powerflex_observability_custom_cert_missing_key.yaml +++ b/pkg/modules/testdata/cr_powerflex_observability_custom_cert_missing_key.yaml @@ -52,7 +52,7 @@ spec: - name: HOST_PID value: "1" - name: MDM - value: "10.xx.xx.xx,10.xx.xx.xx" #do not add mdm value here if it is present in secret + value: "10.xx.xx.xx,10.xx.xx.xx" # do not add mdm value here if it is present in secret # health monitor is disabled by default, refer to driver documentation before enabling it # Also set the env variable controller.envs.X_CSI_HEALTH_MONITOR_ENABLED to "true". - name: csi-external-health-monitor-controller @@ -61,7 +61,7 @@ spec: # Uncomment the following to configure how often external-provisioner polls the driver to detect changed capacity # Configure when the storageCapacity is set as "true" # Allowed values: 1m,2m,3m,...,10m,...,60m etc. Default value: 5m - #- name: provisioner + # - name: provisioner # args: ["--capacity-poll-interval=5m"] controller: @@ -79,7 +79,7 @@ spec: # Default Value: None - name: X_CSI_POWERFLEX_EXTERNAL_ACCESS value: - #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment + # "controller.nodeSelector" defines what nodes would be selected for pods of controller deployment # Leave as blank to use all nodes # Allowed values: map of key-value pairs # Default value: None @@ -165,7 +165,7 @@ spec: name: sdc envs: - name: MDM - value: "10.xx.xx.xx,10.xx.xx.xx" #provide MDM value + value: "10.xx.xx.xx,10.xx.xx.xx" # provide MDM value modules: # observability: allows to configure observability - name: observability diff --git a/pkg/modules/testdata/cr_powermax_observability.yaml b/pkg/modules/testdata/cr_powermax_observability.yaml index fa87ef59c..96a7a0813 100644 --- a/pkg/modules/testdata/cr_powermax_observability.yaml +++ b/pkg/modules/testdata/cr_powermax_observability.yaml @@ -102,6 +102,6 @@ spec: # proxyHost: hostname of the csm-authorization server - name: "PROXY_HOST" value: "testing-proxy-host" - # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server + # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server - name: "SKIP_CERTIFICATE_VALIDATION" value: "true" diff --git a/pkg/modules/testdata/cr_powerscale_auth.yaml b/pkg/modules/testdata/cr_powerscale_auth.yaml index 509378d89..91aa90a5d 100644 --- a/pkg/modules/testdata/cr_powerscale_auth.yaml +++ b/pkg/modules/testdata/cr_powerscale_auth.yaml @@ -23,6 +23,6 @@ spec: # proxyHost: hostname of the csm-authorization server - name: "PROXY_HOST" value: "testing-proxy-host" - # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server + # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server - name: "SKIP_CERTIFICATE_VALIDATION" value: "true" diff --git a/pkg/modules/testdata/cr_powerscale_auth_validate_cert.yaml b/pkg/modules/testdata/cr_powerscale_auth_validate_cert.yaml index ab59d4635..8e8addb3b 100644 --- a/pkg/modules/testdata/cr_powerscale_auth_validate_cert.yaml +++ b/pkg/modules/testdata/cr_powerscale_auth_validate_cert.yaml @@ -23,6 +23,6 @@ spec: # proxyHost: hostname of the csm-authorization server - name: "PROXY_HOST" value: "testing-proxy-host" - # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server + # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server - name: "SKIP_CERTIFICATE_VALIDATION" value: "false" diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 25b5610a7..49ff7bd02 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -112,6 +112,11 @@ type ReplicaCluster struct { ClusterK8sClient kubernetes.Interface } +// CSMComponentType - type constraint for DriverType and ModuleType +type CSMComponentType interface { + csmv1.ModuleType | csmv1.DriverType +} + const ( // DefaultReleaseName constant DefaultReleaseName = "" @@ -137,8 +142,6 @@ const ( ObservabilityNamespace = "karavi" // AuthorizationNamespace - authorization AuthorizationNamespace = "authorization" - // AuthProxyServerComponent - karavi-authorization-proxy-server component - AuthProxyServerComponent = "karavi-authorization-proxy-server" // PodmonControllerComponent - podmon-controller PodmonControllerComponent = "podmon-controller" // PodmonNodeComponent - podmon-node @@ -1150,7 +1153,7 @@ func DetermineUnitTestRun(ctx context.Context) bool { } // IsValidUpgrade will check if upgrade of module/driver is allowed -func IsValidUpgrade[T csmv1.CSMComponentType](ctx context.Context, oldVersion, newVersion string, csmComponentType T, operatorConfig OperatorConfig) (bool, error) { +func IsValidUpgrade[T CSMComponentType](ctx context.Context, oldVersion, newVersion string, csmComponentType T, operatorConfig OperatorConfig) (bool, error) { log := logger.GetLogger(ctx) // if versions are equal, it is a modification @@ -1194,7 +1197,7 @@ func IsValidUpgrade[T csmv1.CSMComponentType](ctx context.Context, oldVersion, n return isUpgradeValid || isDowngradeValid, fmt.Errorf("upgrade/downgrade of %s from version %s to %s not valid", csmComponentType, oldVersion, newVersion) } -func getUpgradeInfo[T csmv1.CSMComponentType](ctx context.Context, operatorConfig OperatorConfig, csmCompType T, oldVersion string) (string, error) { +func getUpgradeInfo[T CSMComponentType](ctx context.Context, operatorConfig OperatorConfig, csmCompType T, oldVersion string) (string, error) { log := logger.GetLogger(ctx) csmCompConfigDir := "" diff --git a/samples/authorization/certificate_v1100.yaml b/samples/authorization/certificate_v1100.yaml deleted file mode 100644 index 0483b828a..000000000 --- a/samples/authorization/certificate_v1100.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: authorization -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: authorization -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/samples/authorization/certificate_v1101.yaml b/samples/authorization/certificate_v1101.yaml deleted file mode 100644 index 0483b828a..000000000 --- a/samples/authorization/certificate_v1101.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: authorization -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: authorization -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/samples/authorization/certificate_v1110.yaml b/samples/authorization/certificate_v1110.yaml deleted file mode 100644 index 0483b828a..000000000 --- a/samples/authorization/certificate_v1110.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: authorization -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: authorization -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/samples/authorization/certificate_v190.yaml b/samples/authorization/certificate_v190.yaml deleted file mode 100644 index 0483b828a..000000000 --- a/samples/authorization/certificate_v190.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: authorization -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: authorization -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/samples/authorization/certificate_v191.yaml b/samples/authorization/certificate_v191.yaml deleted file mode 100644 index 0483b828a..000000000 --- a/samples/authorization/certificate_v191.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: authorization -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: authorization -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/samples/authorization/csm-authorization_csmrole.yaml b/samples/authorization/csm-authorization_csmrole.yaml new file mode 100644 index 000000000..4948ba7b1 --- /dev/null +++ b/samples/authorization/csm-authorization_csmrole.yaml @@ -0,0 +1,15 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: CSMRole +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: role-sample + app.kubernetes.io/part-of: csm-authorization + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: csm-authorization + name: csmrole-sample +spec: + quota: 0GB + systemID: pscale-xyz + systemType: powerscale + pool: /ifs/data/csi diff --git a/samples/authorization/csm-authorization_csmtenant.yaml b/samples/authorization/csm-authorization_csmtenant.yaml new file mode 100644 index 000000000..c6f25183f --- /dev/null +++ b/samples/authorization/csm-authorization_csmtenant.yaml @@ -0,0 +1,18 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: CSMTenant +metadata: + labels: + app.kubernetes.io/name: csmtenant + app.kubernetes.io/instance: csmtenant-sample + app.kubernetes.io/part-of: csm-authorization + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: csm-authorization + name: csmtenant-sample +spec: + # TODO(user): Add fields here + roles: role1,role2 + approveSdc: false + revoke: false + # This prefix is added for each new volume provisioned by the tenant. + # It should not exceed 3 characters. Example: tn1 + volumePrefix: tn1 diff --git a/samples/authorization/csm-authorization_storage.yaml b/samples/authorization/csm-authorization_storage.yaml new file mode 100644 index 000000000..2343a1259 --- /dev/null +++ b/samples/authorization/csm-authorization_storage.yaml @@ -0,0 +1,12 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: Storage +metadata: + name: powerflex +spec: + type: powerflex + endpoint: https://127.0.0.1 + systemID: 1a99aa999999aa9a + credentialStore: vault + credentialPath: storage/powerflex + skipCertificateValidation: true + pollInterval: 30s diff --git a/samples/authorization/csm_authorization_proxy_server_v1100.yaml b/samples/authorization/csm_authorization_proxy_server_v1100.yaml index be20f541f..aaf92390d 100644 --- a/samples/authorization/csm_authorization_proxy_server_v1100.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v1100.yaml @@ -12,55 +12,68 @@ spec: configVersion: v1.10.0 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.10.0 - tenantService: dellemc/csm-authorization-tenant:v1.10.0 - roleService: dellemc/csm-authorization-role:v1.10.0 - storageService: dellemc/csm-authorization-storage:v1.10.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.10.0 + tenantService: dellemc/csm-authorization-tenant:v1.10.0 + roleService: dellemc/csm-authorization-role:v1.10.0 + storageService: dellemc/csm-authorization-storage:v1.10.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # proxy-server ingress will use this hostname - # NOTE: an additional hostname can be configured in the PROXY_INGRESS_HOST environment variable + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required - - name: "PROXY_HOST" - value: "csm-authorization.com" + hostname: "csm-authorization.com" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true - - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + storageclass: "" --- apiVersion: v1 diff --git a/samples/authorization/csm_authorization_proxy_server_v1101.yaml b/samples/authorization/csm_authorization_proxy_server_v1101.yaml index 72104f658..13f4427d4 100644 --- a/samples/authorization/csm_authorization_proxy_server_v1101.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v1101.yaml @@ -12,55 +12,68 @@ spec: configVersion: v1.10.1 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.10.1 - tenantService: dellemc/csm-authorization-tenant:v1.10.1 - roleService: dellemc/csm-authorization-role:v1.10.1 - storageService: dellemc/csm-authorization-storage:v1.10.1 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.10.1 + tenantService: dellemc/csm-authorization-tenant:v1.10.1 + roleService: dellemc/csm-authorization-role:v1.10.1 + storageService: dellemc/csm-authorization-storage:v1.10.1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # proxy-server ingress will use this hostname - # NOTE: an additional hostname can be configured in the PROXY_INGRESS_HOST environment variable + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required - - name: "PROXY_HOST" - value: "csm-authorization.com" + hostname: "csm-authorization.com" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true - - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + storageclass: "" --- apiVersion: v1 diff --git a/samples/authorization/csm_authorization_proxy_server_v1110.yaml b/samples/authorization/csm_authorization_proxy_server_v1110.yaml index 122b07d99..65e27fa9c 100644 --- a/samples/authorization/csm_authorization_proxy_server_v1110.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v1110.yaml @@ -12,55 +12,68 @@ spec: configVersion: v1.11.0 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.11.0 - tenantService: dellemc/csm-authorization-tenant:v1.11.0 - roleService: dellemc/csm-authorization-role:v1.11.0 - storageService: dellemc/csm-authorization-storage:v1.11.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.11.0 + tenantService: dellemc/csm-authorization-tenant:v1.11.0 + roleService: dellemc/csm-authorization-role:v1.11.0 + storageService: dellemc/csm-authorization-storage:v1.11.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # proxy-server ingress will use this hostname - # NOTE: an additional hostname can be configured in the PROXY_INGRESS_HOST environment variable + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required - - name: "PROXY_HOST" - value: "csm-authorization.com" + hostname: "csm-authorization.com" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true - - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + storageclass: "" --- apiVersion: v1 diff --git a/samples/authorization/csm_authorization_proxy_server_v190.yaml b/samples/authorization/csm_authorization_proxy_server_v190.yaml index e334fc313..172dfe224 100644 --- a/samples/authorization/csm_authorization_proxy_server_v190.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v190.yaml @@ -12,45 +12,14 @@ spec: configVersion: v1.9.0 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.9.0 - tenantService: dellemc/csm-authorization-tenant:v1.9.0 - roleService: dellemc/csm-authorization-role:v1.9.0 - storageService: dellemc/csm-authorization-storage:v1.9.0 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" - - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" - - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - # enabled: Enable/Disable nginx ingress + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section # Default value: true - - name: ingress-nginx + - name: nginx enabled: true # enabled: Enable/Disable cert-manager @@ -61,6 +30,52 @@ spec: - name: cert-manager enabled: true + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.9.0 + tenantService: dellemc/csm-authorization-tenant:v1.9.0 + roleService: dellemc/csm-authorization-role:v1.9.0 + storageService: dellemc/csm-authorization-storage:v1.9.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # base hostname for the ingress rules that expose the services + # the proxy-server ingress will use this hostname + # Allowed values: string + # Default value: csm-authorization.com + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" + --- apiVersion: v1 kind: ConfigMap diff --git a/samples/authorization/csm_authorization_proxy_server_v191.yaml b/samples/authorization/csm_authorization_proxy_server_v191.yaml index a3c35abcc..97c6fea25 100644 --- a/samples/authorization/csm_authorization_proxy_server_v191.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v191.yaml @@ -12,45 +12,14 @@ spec: configVersion: v1.9.1 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.9.1 - tenantService: dellemc/csm-authorization-tenant:v1.9.1 - roleService: dellemc/csm-authorization-role:v1.9.1 - storageService: dellemc/csm-authorization-storage:v1.9.1 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" - - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" - - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - # enabled: Enable/Disable nginx ingress + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section # Default value: true - - name: ingress-nginx + - name: nginx enabled: true # enabled: Enable/Disable cert-manager @@ -61,6 +30,52 @@ spec: - name: cert-manager enabled: true + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.9.1 + tenantService: dellemc/csm-authorization-tenant:v1.9.1 + roleService: dellemc/csm-authorization-role:v1.9.1 + storageService: dellemc/csm-authorization-storage:v1.9.1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # base hostname for the ingress rules that expose the services + # the proxy-server ingress will use this hostname + # Allowed values: string + # Default value: csm-authorization.com + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" + --- apiVersion: v1 kind: ConfigMap diff --git a/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml new file mode 100644 index 000000000..ee8b42756 --- /dev/null +++ b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml @@ -0,0 +1,115 @@ +apiVersion: storage.dell.com/v1 +kind: ContainerStorageModule +metadata: + name: authorization + namespace: authorization +spec: + modules: + # Authorization: enable csm-authorization proxy server for RBAC + - name: authorization-proxy-server + # enable: Enable/Disable csm-authorization + enabled: true + configVersion: v2.0.0-alpha + forceRemoveModule: true + + components: + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + proxyServiceReplicas: 1 + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + tenantServiceReplicas: 1 + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + roleServiceReplicas: 1 + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + storageServiceReplicas: 1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + authorizationControllerReplicas: 1 + leaderElection: true + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: authorization +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: 10 + LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/samples/storage_csm_unity_v2101.yaml b/samples/storage_csm_unity_v2101.yaml index 9237535b2..84bd8de0d 100644 --- a/samples/storage_csm_unity_v2101.yaml +++ b/samples/storage_csm_unity_v2101.yaml @@ -28,10 +28,10 @@ spec: image: "dellemc/csi-unity:v2.10.1" imagePullPolicy: IfNotPresent envs: - # X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS - Flag to enable sharing of volumes across multiple pods within the same node in RWO access mode. - # Allowed values: boolean - # Default value: "false" - # Examples : "true" , "false" + # X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS - Flag to enable sharing of volumes across multiple pods within the same node in RWO access mode. + # Allowed values: boolean + # Default value: "false" + # Examples : "true" , "false" - name: X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS value: "false" - name: X_CSI_EPHEMERAL_STAGING_PATH @@ -67,15 +67,15 @@ spec: # ssl authentication. (unity-cert-0..unity-cert-n) # This field is only verified if X_CSI_UNITY_SKIP_CERTIFICATE_VALIDATION is set to false # Allowed values: n, where n > 0 - # Default value: None + # Default value: None - name: CERT_SECRET_COUNT value: "1" # X_CSI_UNITY_SKIP_CERTIFICATE_VALIDATION: Specifies if the driver is going to validate unisphere certs while connecting to the Unisphere REST API interface. # If it is set to false, then a secret unity-certs has to be created with an X.509 certificate of CA which signed the Unisphere certificate # Allowed values: # true: skip Unisphere API server's certificate verification - # false: verify Unisphere API server's certificates - # Default value: true + # false: verify Unisphere API server's certificates + # Default value: true - name: X_CSI_UNITY_SKIP_CERTIFICATE_VALIDATION value: "true" @@ -97,7 +97,7 @@ spec: # Uncomment the following to configure how often external-provisioner polls the driver to detect changed capacity # Configure when the storageCapacity is set as "true" # Allowed values: 1m,2m,3m,...,10m,...,60m etc. Default value: 5m - #- name: provisioner + # - name: provisioner # args: ["--capacity-poll-interval=5m"] # health monitor is disabled by default, refer to driver documentation before enabling it diff --git a/tests/e2e/go.mod b/tests/e2e/go.mod index 6f203edfc..1bb28168a 100644 --- a/tests/e2e/go.mod +++ b/tests/e2e/go.mod @@ -4,7 +4,7 @@ go 1.22 require ( github.com/dell/csm-operator v0.0.0 - github.com/onsi/ginkgo/v2 v2.17.3 + github.com/onsi/ginkgo/v2 v2.19.0 github.com/onsi/gomega v1.33.1 k8s.io/api v0.28.4 k8s.io/apimachinery v0.28.4 @@ -84,16 +84,17 @@ require ( go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.23.0 // indirect golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.20.0 // indirect + golang.org/x/tools v0.21.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect diff --git a/tests/e2e/go.sum b/tests/e2e/go.sum index d71f95f3c..72363b927 100644 --- a/tests/e2e/go.sum +++ b/tests/e2e/go.sum @@ -136,8 +136,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= -github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -229,19 +229,21 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc= golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -254,23 +256,23 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= -golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/tests/e2e/run-e2e-test.sh b/tests/e2e/run-e2e-test.sh index e9d1823e7..afb9b0599 100755 --- a/tests/e2e/run-e2e-test.sh +++ b/tests/e2e/run-e2e-test.sh @@ -94,11 +94,31 @@ function checkForGinkgo() { if ! (go mod vendor && go get github.com/onsi/ginkgo/v2); then echo "go mod vendor or go get ginkgo error" exit 1 - fi -} +fi + +# copy cert-csi binary into local folder +cp $CERT_CSI . + +# Uncomment for authorization proxy server +# cp $DELLCTL /usr/local/bin/ + +PATH=$PATH:$(go env GOPATH)/bin + +OPTS=() + +if [ -z "${GINKGO_OPTS-}" ]; then + OPTS=(-v) +else + read -ra OPTS <<<"-v $GINKGO_OPTS" +fi + +pwd +ginkgo -mod=mod "${OPTS[@]}" + +rm -f cert-csi -function runTests() { - ginkgo -mod=mod -v +# Uncomment for authorization proxy server +# rm -f /usr/local/bin/dellctl # Checking for test status TEST_PASS=$? diff --git a/tests/e2e/steps/steps_def.go b/tests/e2e/steps/steps_def.go index f0505145c..a0f2307f1 100644 --- a/tests/e2e/steps/steps_def.go +++ b/tests/e2e/steps/steps_def.go @@ -1,4 +1,4 @@ -// Copyright © 2022-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +// Copyright © 2022-2024 Dell Inc. or its subsidiaries. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -58,6 +58,9 @@ var ( pflexAuthSidecarMap = map[string]string{"REPLACE_USER": "PFLEX_USER", "REPLACE_PASS": "PFLEX_PASS", "REPLACE_SYSTEMID": "PFLEX_SYSTEMID", "REPLACE_ENDPOINT": "PFLEX_ENDPOINT", "REPLACE_AUTH_ENDPOINT": "PFLEX_AUTH_ENDPOINT"} authSidecarRootCertMap = map[string]string{} amConfigMap = map[string]string{"REPLACE_ALT_BUCKET_NAME": "ALT_BUCKET_NAME", "REPLACE_BUCKET_NAME": "BUCKET_NAME", "REPLACE_S3URL": "BACKEND_STORAGE_URL", "REPLACE_CONTROLLER_IMAGE": "AM_CONTROLLER_IMAGE", "REPLACE_PLUGIN_IMAGE": "AM_PLUGIN_IMAGE"} + storageCrMap = map[string]string{"REPLACE_STORAGE_NAME": "STORAGE_TYPE", "REPLACE_STORAGE_TYPE": "STORAGE_TYPE", "REPLACE_ENDPOINT": "END_POINT", "REPLACE_SYSTEM_ID": "SYSTEM_ID", "REPLACE_VAULT_STORAGE_PATH": "VAULT_STORAGE_PATH"} + roleCrMap = map[string]string{"REPLACE_STORAGE_TYPE": "STORAGE_TYPE", "REPLACE_QUOTA": "QUOTA", "REPLACE_SYSTEM_ID": "SYSTEM_ID", "REPLACE_STORAGE_POOL_PATH": "STORAGE_POOL_PATH"} + tenantCrMap = map[string]string{"REPLACE_TENANT_ROLES": "TENANT_ROLES", "REPLACE_TENANT_PREFIX": "TENANT_PREFIX"} ) var correctlyAuthInjected = func(cr csmv1.ContainerStorageModule, annotations map[string]string, vols []acorev1.VolumeApplyConfiguration, cnt []acorev1.ContainerApplyConfiguration) error { @@ -671,6 +674,12 @@ func determineMap(crType string) (map[string]string, error) { mapValues = authSidecarRootCertMap } else if crType == "application-mobility" { mapValues = amConfigMap + } else if crType == "storage" { + mapValues = storageCrMap + } else if crType == "csmrole" { + mapValues = roleCrMap + } else if crType == "csmtenant" { + mapValues = tenantCrMap } else { return mapValues, fmt.Errorf("type: %s is not supported", crType) } @@ -1023,14 +1032,6 @@ func (step *Step) authProxyServerPrereqs(cr csmv1.ContainerStorageModule) error return fmt.Errorf("failed to create local storage for redis: %v\nErrMessage:\n%s", err, string(b)) } - cmd = exec.Command("kubectl", "create", "-n", cr.Namespace, - "-f", "testfiles/authorization-templates/csm_authorization_certificate.yaml", - ) - b, err = cmd.CombinedOutput() - if err != nil { - return fmt.Errorf("failed to create self-signed cert: %v\nErrMessage:\n%s", err, string(b)) - } - return nil } @@ -1044,12 +1045,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, var err error var ( - endpoint = "" - sysID = "" - user = "" - password = "" storageType = "" - pool = "" driverNamespace = "" proxyHost = "" ) @@ -1064,11 +1060,6 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, // if tests are running multiple scenarios that require differently configured auth servers, we will not be able to use one set of vars // this section is for powerflex, other drivers can add their sections as required. if driver == "powerflex" { - endpointvar = "PFLEX_ENDPOINT" - systemIdvar = "PFLEX_SYSTEMID" - uservar = "PFLEX_USER" - passvar = "PFLEX_PASS" - poolvar = "PFLEX_POOL" os.Setenv("STORAGE_TYPE", "powerflex") os.Setenv("DRIVER_NAMESPACE", "test-vxflexos") } @@ -1078,21 +1069,6 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, os.Setenv("DRIVER_NAMESPACE", "isilon") } // get env variables - if os.Getenv(endpointvar) != "" { - endpoint = os.Getenv(endpointvar) - } - if os.Getenv(systemIdvar) != "" { - sysID = os.Getenv(systemIdvar) - } - if os.Getenv(uservar) != "" { - user = os.Getenv(uservar) - } - if os.Getenv(passvar) != "" { - password = os.Getenv(passvar) - } - if os.Getenv(poolvar) != "" { - pool = os.Getenv(poolvar) - } if os.Getenv("STORAGE_TYPE") != "" { storageType = os.Getenv("STORAGE_TYPE") } @@ -1108,7 +1084,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, } fmt.Printf("=== Generating Admin Token ===\n") - adminTkn := exec.Command("karavictl", + adminTkn := exec.Command("dellctl", "admin", "token", "--name", "Admin", "--jwt-signing-secret", "secret", @@ -1137,16 +1113,19 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, fmt.Printf("Address: %s\n", address) fmt.Println("=== Creating Storage ===\n ") - cmd := exec.Command("karavictl", - "--admin-token", "/tmp/adminToken.yaml", - "storage", "create", - "--type", storageType, - "--endpoint", fmt.Sprintf("https://%s", endpoint), - "--system-id", sysID, - "--user", user, - "--password", password, - "--array-insecure", - "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port), + mapValues, err := determineMap("storage") + if err != nil { + return err + } + + for key := range mapValues { + err := replaceInFile(os.Getenv(mapValues[key]), key, "testfiles/authorization-templates/csm-authorization_storage.yaml") + if err != nil { + return err + } + } + cmd := exec.Command("kubectl", "apply", + "-f", "testfiles/authorization-templates/csm-authorization_v1_storage.yaml", ) fmt.Println("=== Storage === \n", cmd.String()) b, err = cmd.CombinedOutput() @@ -1156,10 +1135,19 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, // Create Tenant fmt.Println("=== Creating Tenant ===\n ") - cmd = exec.Command("karavictl", - "--admin-token", "/tmp/adminToken.yaml", - "tenant", "create", - "-n", tenantName, "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port), + mapValues, err = determineMap("csmtenant") + if err != nil { + return err + } + + for key := range mapValues { + err := replaceInFile(os.Getenv(mapValues[key]), key, "testfiles/authorization-templates/csm-authorization_csmtenant.yaml") + if err != nil { + return err + } + } + cmd = exec.Command("kubectl", "apply", + "-f", "testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml", ) b, err = cmd.CombinedOutput() fmt.Println("=== Tenant === \n", cmd.String()) @@ -1170,15 +1158,19 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, fmt.Println("=== Creating Role ===\n", cmd.String()) // Create Role - if storageType == "powerscale" { - quotaLimit = "0" + mapValues, err = determineMap("csmrole") + if err != nil { + return err } - cmd = exec.Command("karavictl", - "--admin-token", "/tmp/adminToken.yaml", - "role", "create", - fmt.Sprintf("--role=%s=%s=%s=%s=%s", - roleName, storageType, sysID, pool, quotaLimit), - "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port), + + for key := range mapValues { + err := replaceInFile(os.Getenv(mapValues[key]), key, "testfiles/authorization-templates/csm-authorization_csmrole.yaml") + if err != nil { + return err + } + } + cmd = exec.Command("kubectl", "apply", + "-f", "testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml", ) fmt.Println("=== Role === \n", cmd.String()) @@ -1190,28 +1182,15 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, // role creation take few seconds time.Sleep(5 * time.Second) - // Bind role - cmd = exec.Command("karavictl", - "--admin-token", "/tmp/adminToken.yaml", - "rolebinding", "create", - "--tenant", tenantName, - "--role", roleName, - "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port), - ) - fmt.Println("=== Binding Role ===\n", cmd.String()) - b, err = cmd.CombinedOutput() - if err != nil { - return fmt.Errorf("failed to create rolebinding %s: %v\nErrMessage:\n%s", roleName, err, string(b)) - } - // Generate token fmt.Println("=== Generating token ===\n ") - cmd = exec.Command("karavictl", - "--admin-token", "/tmp/adminToken.yaml", + cmd = exec.Command("dellctl", "generate", "token", - "--tenant", tenantName, - "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port), + "--admin-token", "/tmp/adminToken.yaml", "--access-token-expiration", fmt.Sprint(10*time.Minute), + "--refresh-token-expiration", "48h", + "--tenant", "csmtenant-sample", + "--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port), ) fmt.Println("=== Token ===\n", cmd.String()) b, err = cmd.CombinedOutput() @@ -1409,6 +1388,56 @@ func (step *Step) validateApplicationMobilityNotInstalled(cr csmv1.ContainerStor return nil } +func (step *Step) createCustomResourceDefinition(res Resource, crdNumStr string) error { + crdNum, _ := strconv.Atoi(crdNumStr) + cmd := exec.Command("kubectl", "apply", "-f", res.Scenario.Paths[crdNum-1]) + err := cmd.Run() + if err != nil { + return fmt.Errorf("csm authorization crds install failed: %v", err) + } + + return nil +} + +func (step *Step) validateCustomResourceDefinition(res Resource, crdName string) error { + cmd := exec.Command("kubectl", "get", "crd", fmt.Sprintf("%s.csm-authorization.storage.dell.com", crdName)) + err := cmd.Run() + if err != nil { + return fmt.Errorf("failed to validate csm authorization crd [%s]: %v", crdName, err) + } + + return nil +} + +func (step *Step) deleteCustomResourceDefinition(res Resource, crdNumStr string) error { + crdNum, _ := strconv.Atoi(crdNumStr) + cmd := exec.Command("kubectl", "delete", "-f", res.Scenario.Paths[crdNum-1]) + err := cmd.Run() + if err != nil { + return fmt.Errorf("csm authorization crds uninstall failed: %v", err) + } + return nil +} + +func (step *Step) validateRbacCreated(_ Resource, namespace string) error { + fmt.Println("=== validating Rbac created ===") + + cmd := exec.Command("kubectl", "get", "rolebindings", "-n", "namespacename") + var out bytes.Buffer + cmd.Stdout = &out + err := cmd.Run() + if err != nil { + return fmt.Errorf("failed to run command") + } + + roles := strings.Split(out.String(), "\n") + for _, role := range roles { + if strings.Contains(role, "Role/connectivity-client-docker-k8s") { + return nil + } + } + +} func (step *Step) validateRbacCreated(_ Resource, namespace string) error { fmt.Println("=== validating Rbac created ===") diff --git a/tests/e2e/steps/steps_runner.go b/tests/e2e/steps/steps_runner.go index 4f95c7985..bf2269188 100644 --- a/tests/e2e/steps/steps_runner.go +++ b/tests/e2e/steps/steps_runner.go @@ -79,6 +79,9 @@ func StepRunnerInit(runner *Runner, ctrlClient client.Client, clientSet *kuberne runner.addStep(`^Validate connectivity client from CR \[(\d+)\] is installed$`, step.validateConnectivityClientInstalled) runner.addStep(`^Validate connectivity client from CR \[(\d+)\] is not installed$`, step.validateConnectivityClientNotInstalled) runner.addStep(`^Uninstall connectivity client from CR \[(\d+)\]`, step.uninstallConnectivityClient) + runner.addStep(`^Install Authorization CRDs \[(\d+)\]$`, step.createCustomResourceDefinition) + runner.addStep(`^Validate \[([^"]*)\] CRD for Authorization is installed$`, step.validateCustomResourceDefinition) + runner.addStep(`^Delete Authorization CRDs \[(\d+)\]$`, step.deleteCustomResourceDefinition) runner.addStep(`^Validate rbac created in namespace \[([^"]*)\]$`, step.validateRbacCreated) } diff --git a/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml new file mode 100644 index 000000000..dc764942e --- /dev/null +++ b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml @@ -0,0 +1,15 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: CSMRole +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: role-sample + app.kubernetes.io/part-of: csm-authorization + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: csm-authorization + name: csmrole-sample +spec: + quota: "REPLACE_QUOTA" + systemID: "REPLACE_SYSTEM_ID" + systemType: "REPLACE_STORAGE_TYPE" + pool: "REPLACE_STORAGE_POOL_PATH" diff --git a/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml new file mode 100644 index 000000000..e3cbcce21 --- /dev/null +++ b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml @@ -0,0 +1,18 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: CSMTenant +metadata: + labels: + app.kubernetes.io/name: csmtenant + app.kubernetes.io/instance: csmtenant-sample + app.kubernetes.io/part-of: csm-authorization + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: csm-authorization + name: csmtenant-sample +spec: + # TODO(user): Add fields here + roles: "REPLACE_TENANT_ROLES" + approveSdc: false + revoke: false + # This prefix is added for each new volume provisioned by the tenant. + # It should not exceed 3 characters. Example: tn1 + volumePrefix: "REPLACE_TENANT_VOLUME_PREFIX" diff --git a/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_storage.yaml b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_storage.yaml new file mode 100644 index 000000000..366dcd593 --- /dev/null +++ b/tests/e2e/testfiles/authorization-templates/csm-authorization_v1_storage.yaml @@ -0,0 +1,12 @@ +apiVersion: csm-authorization.storage.dell.com/v1alpha1 +kind: Storage +metadata: + name: "REPLACE_STORAGE_NAME" +spec: + type: "REPLACE_STORAGE_TYPE" + endpoint: "REPLACE_ENDPOINT" + systemID: "REPLACE_SYSTEM_ID" + credentialStore: vault + credentialPath: "REPLACE_VAULT_STORAGE_PATH" + skipCertificateValidation: true + pollInterval: 30s diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_certificate.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_certificate.yaml deleted file mode 100644 index a2044e105..000000000 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_certificate.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth -spec: - secretName: karavi-auth-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - karavi-auth - - karavi-auth.authorization.svc.kubernetes.local - - csm-authorization.com - - authorization-ingress-nginx-controller.authorization.svc.cluster.local - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_crds.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_crds.yaml new file mode 100644 index 000000000..8c885df97 --- /dev/null +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_crds.yaml @@ -0,0 +1,415 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmroles.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMRole + listKind: CSMRoleList + plural: csmroles + singular: csmrole + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMRole is the Schema for the csmroles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMRoleSpec defines the desired state of CSMRole + properties: + pool: + type: string + quota: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + systemID: + type: string + systemType: + type: string + type: object + status: + description: CSMRoleStatus defines the observed state of CSMRole + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Role.status.conditions.type are: "Available", "NotAvailable", and "UnKnown" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: csmtenants.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: CSMTenant + listKind: CSMTenantList + plural: csmtenants + singular: csmtenant + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CSMTenant is the Schema for the csmtenants API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CSMTenantSpec defines the desired state of CSMTenant + properties: + approveSdc: + type: boolean + revoke: + type: boolean + roles: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + volumePrefix: + maxLength: 3 + minLength: 1 + type: string + required: + - approveSdc + - revoke + type: object + status: + description: CSMTenantStatus defines the observed state of CSMTenant + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: storages.csm-authorization.storage.dell.com +spec: + group: csm-authorization.storage.dell.com + names: + kind: Storage + listKind: StorageList + plural: storages + singular: storage + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Storage is the Schema for the storages API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: StorageSpec defines the desired state of Storage + properties: + credentialPath: + type: string + credentialStore: + type: string + endpoint: + type: string + pollInterval: + type: string + skipCertificateValidation: + type: boolean + systemID: + type: string + type: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + required: + - skipCertificateValidation + type: object + status: + description: StorageStatus defines the observed state of Storage + properties: + conditions: + description: 'Storage.status.conditions.type are: "Available", "NotAvailable", + and "UnKnown"' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml index 425fd1516..af54a2765 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml @@ -9,58 +9,103 @@ spec: - name: authorization-proxy-server # enable: Enable/Disable csm-authorization enabled: true - configVersion: v1.11.0 + configVersion: v2.0.0-alpha forceRemoveModule: true + components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:nightly - tenantService: dellemc/csm-authorization-tenant:nightly - roleService: dellemc/csm-authorization-role:nightly - storageService: dellemc/csm-authorization-storage:nightly - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # the storage-service ingress will use storage.hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + proxyServiceReplicas: 1 + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + tenantServiceReplicas: 1 + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + roleServiceReplicas: 1 + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + storageServiceReplicas: 1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + authorizationControllerReplicas: 1 + leaderElection: true + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + certificate: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: false + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: rediscommander + sentinel: sentinel + redisReplicas: 5 + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "local-storage" + + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 @@ -72,3 +117,4 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml index 753e51995..1a4eba02c 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml @@ -9,58 +9,103 @@ spec: - name: authorization-proxy-server # enable: Enable/Disable csm-authorization enabled: true - configVersion: v1.11.0 + configVersion: v2.0.0-alpha forceRemoveModule: true + components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:nightly - tenantService: dellemc/csm-authorization-tenant:nightly - roleService: dellemc/csm-authorization-role:nightly - storageService: dellemc/csm-authorization-storage:nightly - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # the storage-service ingress will use storage.hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + proxyServiceReplicas: 1 + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + tenantServiceReplicas: 1 + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + roleServiceReplicas: 1 + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + storageServiceReplicas: 1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + authorizationControllerReplicas: 1 + leaderElection: true + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + certificate: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.proxy-ns.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 + storageclass: "" + + - name: vault + vaultAddress: https://10.247.100.22:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 @@ -72,3 +117,4 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml index b4325da44..b4e4917fa 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml @@ -9,60 +9,103 @@ spec: - name: authorization-proxy-server # enable: Enable/Disable csm-authorization enabled: true - configVersion: v1.11.0 + configVersion: v2.0.0-alpha forceRemoveModule: true + components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:nightly - tenantService: dellemc/csm-authorization-tenant:nightly - roleService: dellemc/csm-authorization-role:nightly - storageService: dellemc/csm-authorization-storage:nightly - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # the storage-service ingress will use storage.hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + proxyServiceReplicas: 1 + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + tenantServiceReplicas: 1 + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + roleServiceReplicas: 1 + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + storageServiceReplicas: 1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + authorizationControllerReplicas: 1 + leaderElection: true + + # controllerReconcileInterval: interval for the authorization controllers to reconcile with Redis. + controllerReconcileInterval: 5m + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + privateKey: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + - authorization-ingress-nginx-controller.authorization.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "" - - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + storageclass: "" - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: false + - name: vault + vaultAddress: https://10.0.0.1:8400 + vaultRole: csm-authorization + skipCertificateValidation: true + kvEnginePath: secret + # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + privateKey: "" + # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificateAuthority: "" --- apiVersion: v1 @@ -74,3 +117,4 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 LOG_LEVEL: debug + STORAGE_CAPACITY_POLL_INTERVAL: 5m diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml index 196a3742f..13f4427d4 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml @@ -12,54 +12,68 @@ spec: configVersion: v1.10.1 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:v1.10.1 - tenantService: dellemc/csm-authorization-tenant:v1.10.1 - roleService: dellemc/csm-authorization-role:v1.10.1 - storageService: dellemc/csm-authorization-storage:v1.10.1 - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.10.1 + tenantService: dellemc/csm-authorization-tenant:v1.10.1 + roleService: dellemc/csm-authorization-role:v1.10.1 + storageService: dellemc/csm-authorization-storage:v1.10.1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + privateKey: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: true + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" --- apiVersion: v1 @@ -70,4 +84,4 @@ metadata: data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: 10 - LOG_LEVEL: debug \ No newline at end of file + LOG_LEVEL: debug diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml index 425fd1516..65e27fa9c 100644 --- a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml +++ b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml @@ -12,55 +12,68 @@ spec: configVersion: v1.11.0 forceRemoveModule: true components: - - name: karavi-authorization-proxy-server - # enable: Enable/Disable csm-authorization proxy server - enabled: true - proxyService: dellemc/csm-authorization-proxy:nightly - tenantService: dellemc/csm-authorization-tenant:nightly - roleService: dellemc/csm-authorization-role:nightly - storageService: dellemc/csm-authorization-storage:nightly - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - envs: - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # the storage-service ingress will use storage.hostname + # For Kubernetes Container Platform only + # enabled: Enable/Disable NGINX Ingress Controller + # Allowed values: + # true: enable deployment of NGINX Ingress Controller + # false: disable deployment of NGINX Ingress Controller only if you have your own ingress controller. Set the appropriate annotations for the ingresses in the proxy-server section + # Default value: true + - name: nginx + enabled: true + + # enabled: Enable/Disable cert-manager + # Allowed values: + # true: enable deployment of cert-manager + # false: disable deployment of cert-manager only if it's already deployed + # Default value: true + - name: cert-manager + enabled: true + + - name: proxy-server + # enable: Enable/Disable csm-authorization proxy server + enabled: true + proxyService: dellemc/csm-authorization-proxy:v1.11.0 + tenantService: dellemc/csm-authorization-tenant:v1.11.0 + roleService: dellemc/csm-authorization-role:v1.11.0 + storageService: dellemc/csm-authorization-storage:v1.11.0 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates + # for self-signed certs, leave empty string + # Allowed values: string + certificate: "" + + # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates + # for self-signed certs, leave empty string # Allowed values: string - # Default value: csm-authorization.com - - name: "PROXY_HOST" - value: "csm-authorization.com" + privateKey: "" - # Proxy-service ingress configuration - # Default value: nginx - - name: "PROXY_INGRESS_CLASSNAME" - value: "nginx" - # An additional host rule for the proxy-server ingress - # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local - - name: "PROXY_INGRESS_HOST" - value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local" + # proxy-server ingress will use this hostname + # NOTE: an additional hostname can be configured in proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: "csm-authorization.com" - # Specify storage class for redis. Otherwise, default storage class is used. - # Default value: None - - name: "REDIS_STORAGE_CLASS" - value: "local-storage" + # proxy-server ingress configuration + proxyServerIngress: + - ingressClassName: nginx - # enabled: Enable/Disable nginx ingress - # Allowed values: - # true: enable deployment of nginx ingress controller - # false: disable deployment of nginx ingress only if you have your own ingress controller - # Default value: true - - name: ingress-nginx - enabled: true + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local - # enabled: Enable/Disable cert-manager - # Allowed values: - # true: enable deployment of cert-manager - # false: disable deployment of cert-manager only if it's already deployed - # Default value: true - - name: cert-manager - enabled: false + # additional annotations for the proxy-server ingress + annotations: {} + + - name: redis + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization + # Default value: None + storageclass: "" --- apiVersion: v1 diff --git a/tests/e2e/testfiles/scenarios.yaml b/tests/e2e/testfiles/scenarios.yaml index 8308f3ea1..2a85db3b9 100644 --- a/tests/e2e/testfiles/scenarios.yaml +++ b/tests/e2e/testfiles/scenarios.yaml @@ -2,16 +2,32 @@ List of E2E Tests Scenarios - scenario: "Install Authorization Proxy Server" paths: - "testfiles/authorization-templates/csm_authorization_proxy_server.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [2]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" - "Configure authorization-proxy-server for [powerscale] for CR [1]" - "Configure authorization-proxy-server for [powerflex] for CR [1]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [2]" + +- scenario: "Install Authorization CRDs" + paths: + - "testfiles/authorization-templates/csm_authorization_crds.yaml" + modules: + - "authorizationproxyserver" + steps: + - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [1]" + - "Validate [csmroles] CRD for Authorization is installed" + - "Validate [csmtenants] CRD for Authorization is installed" + - "Validate [storages] CRD for Authorization is installed" + - "Delete Authorization CRDs [1]" - scenario: "Install Authorization Proxy Server and upgrade" paths: @@ -34,30 +50,36 @@ List of E2E Tests Scenarios - scenario: "Install Authorization Proxy Server With Default Redis Storage Class" paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [2]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" - - "Configure authorization-proxy-server for [powerscale]" - - "Configure authorization-proxy-server for [powerflex]" + - "Configure authorization-proxy-server for [powerscale] for CR [1]" + - "Configure authorization-proxy-server for [powerflex] for CR [1]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [2]" - scenario: "Install Authorization Proxy Server with alternate namespace" paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [2]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" - "Configure authorization-proxy-server for [powerscale] for CR [1]" - "Configure authorization-proxy-server for [powerflex] for CR [1]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [2]" - scenario: "Install Authorization Proxy Server & PowerFlex Driver (With Authorization), Upgrade both Authorization Proxy Server and PowerFlex Driver" paths: @@ -109,6 +131,7 @@ List of E2E Tests Scenarios - scenario: "Install PowerScale Driver(Standalone)" paths: - "testfiles/storage_csm_powerscale.yaml" + tags: - "powerscale" - "sanity" @@ -230,12 +253,14 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server.yaml" - "testfiles/storage_csm_powerscale_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" - "powerscale" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -253,6 +278,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerscale-templates/powerscale-auth-secret-template.yaml] for [pscaleAuth]" - "Restore template [testfiles/powerscale-templates/karavi-authorization-config.json] for [pscaleAuthSidecar]" customTest: @@ -438,6 +464,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerscale_observability_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" @@ -446,6 +473,7 @@ List of E2E Tests Scenarios - "sanity" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -464,6 +492,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerscale-templates/powerscale-storageclass-template.yaml] for [pscale]" - "Restore template [testfiles/powerscale-templates/powerscale-auth-secret-template.yaml] for [pscaleAuth]" - "Restore template [testfiles/powerscale-templates/karavi-authorization-config.json] for [pscaleAuthSidecar]" @@ -477,6 +506,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerscale.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "powerscale" @@ -484,6 +514,7 @@ List of E2E Tests Scenarios - "authorization" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -510,6 +541,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerscale-templates/powerscale-secret-template.yaml] for [pscale]" - "Restore template [testfiles/powerscale-templates/karavi-authorization-config.json] for [pscaleAuthSidecar]" @@ -517,6 +549,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerscale_observability_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" @@ -524,6 +557,7 @@ List of E2E Tests Scenarios - "observability" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -551,6 +585,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerscale-templates/powerscale-storageclass-template.yaml] for [pscale]" - "Restore template [testfiles/powerscale-templates/powerscale-auth-secret-template.yaml] for [pscaleAuth]" - "Restore template [testfiles/powerscale-templates/karavi-authorization-config.json] for [pscaleAuthSidecar]" @@ -722,12 +757,14 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server.yaml" - "testfiles/storage_csm_powerflex_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorization" - "authorizationproxyserver" - "powerflex" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -746,6 +783,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerflex-templates/csm-authorization-config.json] for [pflexAuthSidecar]" - "Restore template [testfiles/powerflex-templates/powerflex-secret-template.yaml] for [pflexAuth]" - "Restore template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]" @@ -964,6 +1002,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerflex.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" @@ -971,6 +1010,7 @@ List of E2E Tests Scenarios - "observability" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -998,6 +1038,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [1]" - "Delete custom resource [2]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerflex-templates/powerflex-secret-template.yaml] for [pflexAuth]" - "Restore template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]" - "Restore template [testfiles/powerflex-templates/csm-authorization-config.json] for [pflexAuthSidecar]" @@ -1006,6 +1047,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerflex_observability_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" @@ -1013,6 +1055,7 @@ List of E2E Tests Scenarios - "observability" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -1031,6 +1074,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerflex-templates/powerflex-secret-template.yaml] for [pflexAuth]" - "Restore template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]" - "Restore template [testfiles/powerflex-templates/csm-authorization-config.json] for [pflexAuthSidecar]" @@ -1043,6 +1087,7 @@ List of E2E Tests Scenarios paths: - "testfiles/authorization-templates/csm_authorization_proxy_server_no_cert.yaml" - "testfiles/storage_csm_powerflex_observability_auth.yaml" + - "testfiles/authorization-templates/csm_authorization_crds.yaml" tags: - "authorizationproxyserver" - "authorization" @@ -1051,6 +1096,7 @@ List of E2E Tests Scenarios - "sanity" steps: - "Given an environment with k8s or openshift, and CSM operator installed" + - "Install Authorization CRDs [3]" - "Create [authorization-proxy-server] prerequisites from CR [1]" - "Apply custom resource [1]" - "Validate [authorization-proxy-server] module from CR [1] is installed" @@ -1077,6 +1123,7 @@ List of E2E Tests Scenarios - "Enable forceRemoveDriver on CR [2]" - "Delete custom resource [2]" - "Delete custom resource [1]" + - "Delete Authorization CRDs [3]" - "Restore template [testfiles/powerflex-templates/powerflex-secret-template.yaml] for [pflexAuth]" - "Restore template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]" - "Restore template [testfiles/powerflex-templates/csm-authorization-config.json] for [pflexAuthSidecar]" @@ -1456,7 +1503,7 @@ List of E2E Tests Scenarios - "Delete custom resource [1]" customTest: name: Cert CSI - run: + run: - cert-csi test vio --sc powermax --chainNumber 2 --chainLength 2 - scenario: "Install PowerMax Driver(With Observability)" @@ -1481,7 +1528,7 @@ List of E2E Tests Scenarios - "Restore template [testfiles/powermax-templates/powermax-secret-template.yaml] for [pmax]" customTest: name: Cert CSI - run: + run: - cert-csi test vio --sc powermax --chainNumber 2 --chainLength 2 - scenario: "Install PowerMax Driver(Standalone), Enable/Disable Observability" @@ -1505,46 +1552,3 @@ List of E2E Tests Scenarios # cleanup - "Enable forceRemoveDriver on CR [1]" - "Delete custom resource [1]" - -- scenario: "Install Powermax Driver(Standalone), Enable Resiliency" - paths: - - "testfiles/storage_csm_powermax.yaml" - tags: - - "powermax" - - "resiliency" - steps: - - "Given an environment with k8s or openshift, and CSM operator installed" - - "Apply custom resource [1]" - - "Validate custom resource [1]" - - "Validate [powermax] driver from CR [1] is installed" - - "Validate [resiliency] module from CR [1] is not installed" - - "Enable [resiliency] module from CR [1]" - - "Validate [powermax] driver from CR [1] is installed" - - "Validate [resiliency] module from CR [1] is installed" - - "Run custom test" - # cleanup - - "Enable forceRemoveDriver on CR [1]" - - "Delete custom resource [1]" - customTest: - name: CustomTest - run: - - "echo Todo" - -- scenario: "Install Powermax Driver(With Resiliency), Disable Resiliency module" - paths: - - "testfiles/storage_csm_powermax_resiliency.yaml" - tags: - - "powermax" - - "resiliency" - steps: - - "Given an environment with k8s or openshift, and CSM operator installed" - - "Apply custom resource [1]" - - "Validate custom resource [1]" - - "Validate [powermax] driver from CR [1] is installed" - - "Validate [resiliency] module from CR [1] is installed" - - "Disable [resiliency] module from CR [1]" - - "Validate [powermax] driver from CR [1] is installed" - - "Validate [resiliency] module from CR [1] is not installed" - # cleanup - - "Enable forceRemoveDriver on CR [1]" - - "Delete custom resource [1]" diff --git a/tests/shared/common.go b/tests/shared/common.go index 6f4680d28..e724abb29 100644 --- a/tests/shared/common.go +++ b/tests/shared/common.go @@ -163,24 +163,7 @@ func MakeModule(configVersion string) csmv1.Module { moduleObj := csmv1.Module{ ConfigVersion: configVersion, ForceRemoveModule: true, - Components: []csmv1.ContainerTemplate{ - { - Envs: []corev1.EnvVar{ - { - Name: "PROXY_HOST", - Value: "csm-auth.com", - }, - { - Name: "AUTHORIZATION_LOG_LEVEL", - Value: "debug", - }, - { - Name: "AUTHORIZATION_CONCURRENT_POWERFLEX_REQUESTS", - Value: "10", - }, - }, - }, - }, + Components: []csmv1.ContainerTemplate{{}}, } return moduleObj