Skip to content

Commit

Permalink
Merge branch 'authorization-gitops' into auth-proxy-e2e
Browse files Browse the repository at this point in the history
  • Loading branch information
@EvgenyUglov
EvgenyUglov committed Jun 10, 2024
2 parents d8bcb3a + abab27b commit c99c186
Show file tree
Hide file tree
Showing 22 changed files with 105 additions and 73 deletions.
4 changes: 0 additions & 4 deletions api/v1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,6 @@ type Module struct {
// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="InitContainer"
InitContainer []ContainerTemplate `json:"initContainer,omitempty" yaml:"initContainer"`

// OpenShift is used to indicate if the Container Platform is OpenShift
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="OpenShift"
OpenShift bool `json:"openshift,omitempty" yaml:"openshift,omitempty"`
}

// PodStatus - Represents PodStatus in a daemonset or deployment
Expand Down
12 changes: 12 additions & 0 deletions config/crd/bases/storage.dell.com_apexconnectivityclients.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -453,6 +457,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -811,6 +819,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down
32 changes: 28 additions & 4 deletions config/crd/bases/storage.dell.com_containerstoragemodules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -444,6 +448,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -823,6 +831,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1179,6 +1191,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1539,6 +1555,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1924,6 +1944,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -2297,6 +2321,10 @@ spec:
description: Certificate is a certificate used for a certificate/private-key
pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority
used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -2639,10 +2667,6 @@ spec:
name:
description: Name is name of ContainerStorageModule modules
type: string
openshift:
description: OpenShift is used to indicate if the Container
Platform is OpenShift
type: boolean
type: object
type: array
type: object
Expand Down
24 changes: 11 additions & 13 deletions controllers/csm_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -970,26 +970,24 @@ func (r *ContainerStorageModuleReconciler) reconcileAuthorization(ctx context.Co
}
}

for _, m := range cr.Spec.Modules {
if m.OpenShift {
log.Infow("Using OpenShift default ingress controller")
if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) {
return fmt.Errorf("openshift enabled, skipping deployment of nginx ingress controller")
}
} else {
if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) {
log.Infow("Reconcile authorization NGINX Ingress Controller")
if err := modules.NginxIngressController(ctx, isDeleting, op, cr, ctrlClient); err != nil {
return fmt.Errorf("unable to reconcile nginx ingress controller for authorization: %v", err)
}
if r.Config.IsOpenShift {
log.Infow("Using OpenShift default ingress controller")
if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) {
log.Warnw("openshift environment, skipping deployment of nginx ingress controller")
}
} else {
if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthNginxIngressComponent) {
log.Infow("Reconcile authorization NGINX Ingress Controller")
if err := modules.NginxIngressController(ctx, isDeleting, op, cr, ctrlClient); err != nil {
return fmt.Errorf("unable to reconcile nginx ingress controller for authorization: %v", err)
}
}
}

// Authorization Ingress rules
if utils.IsModuleComponentEnabled(ctx, cr, csmv1.AuthorizationServer, modules.AuthProxyServerComponent) {
log.Infow("Reconcile authorization Ingresses")
if err := modules.AuthorizationIngress(ctx, isDeleting, cr, r, ctrlClient); err != nil {
if err := modules.AuthorizationIngress(ctx, isDeleting, r.Config.IsOpenShift, cr, r, ctrlClient); err != nil {
return fmt.Errorf("unable to reconcile authorization ingress rules: %v", err)
}
}
Expand Down
19 changes: 10 additions & 9 deletions controllers/csm_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,23 +187,23 @@ func (suite *CSMControllerTestSuite) TestReconcile() {

func (suite *CSMControllerTestSuite) TestAuthorizationServerReconcile() {
suite.makeFakeAuthServerCSM(csmName, suite.namespace, getAuthProxyServer())
suite.runFakeAuthCSMManager("timed out waiting for the condition", false)
suite.runFakeAuthCSMManager("timed out waiting for the condition", false, false)
suite.deleteCSM(csmName)
suite.runFakeAuthCSMManager("", true)
suite.runFakeAuthCSMManager("", true, false)
}

func (suite *CSMControllerTestSuite) TestAuthorizationServerReconcileOCP() {
suite.makeFakeAuthServerCSMOCP(csmName, suite.namespace, getAuthProxyServerOCP())
suite.runFakeAuthCSMManager("", false)
suite.runFakeAuthCSMManager("", false, true)
suite.deleteCSM(csmName)
suite.runFakeAuthCSMManager("", true)
suite.runFakeAuthCSMManager("", true, true)
}

func (suite *CSMControllerTestSuite) TestAppMobReconcile() {
suite.makeFakeAppMobCSM(csmName, suite.namespace, getAppMob())
suite.runFakeAuthCSMManager("", false)
suite.runFakeAuthCSMManager("", false, false)
suite.deleteCSM(csmName)
suite.runFakeAuthCSMManager("", true)
suite.runFakeAuthCSMManager("", true, false)
}

func (suite *CSMControllerTestSuite) TestResiliencyReconcile() {
Expand Down Expand Up @@ -937,8 +937,11 @@ func (suite *CSMControllerTestSuite) runFakeCSMManager(expectedErr string, recon
}
}

func (suite *CSMControllerTestSuite) runFakeAuthCSMManager(expectedErr string, reconcileDelete bool) {
func (suite *CSMControllerTestSuite) runFakeAuthCSMManager(expectedErr string, reconcileDelete, isOpenShift bool) {
reconciler := suite.createReconciler()
if isOpenShift {
reconciler.Config.IsOpenShift = true
}

// invoke controller Reconcile to test. Typically k8s would call this when resource is changed
res, err := reconciler.Reconcile(ctx, req)
Expand Down Expand Up @@ -1281,7 +1284,6 @@ func getAuthProxyServer() []csmv1.Module {
Enabled: true,
ConfigVersion: "v2.0.0-alpha",
ForceRemoveModule: true,
OpenShift: false,
Components: []csmv1.ContainerTemplate{
{
Name: "proxy-server",
Expand Down Expand Up @@ -1319,7 +1321,6 @@ func getAuthProxyServerOCP() []csmv1.Module {
Enabled: true,
ConfigVersion: "v2.0.0-alpha",
ForceRemoveModule: true,
OpenShift: true,
Components: []csmv1.ContainerTemplate{
{
Name: "proxy-server",
Expand Down
3 changes: 0 additions & 3 deletions deploy/crds/storage.dell.com.crds.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3394,9 +3394,6 @@ spec:
name:
description: Name is name of ContainerStorageModule modules
type: string
openshift:
description: OpenShift is used to indicate if the Container Platform is OpenShift
type: boolean
type: object
type: array
type: object
Expand Down
14 changes: 7 additions & 7 deletions operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -694,9 +694,9 @@ spec:
done
loop=$(echo $nodes | sed -e "s/"*"/\n/g")
foundMaster=$false
foundMaster=false
while [ $foundMaster == $false ]
while [ "$foundMaster" == "false" ]
do
for i in $loop
do
Expand All @@ -705,27 +705,27 @@ spec:
if [ "$ROLE" = "master" ]; then
MASTER=$i.authorization.svc.cluster.local
echo "Master found at $MASTER..."
foundMaster=$true
foundMaster=true
break
else
MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2)
if [ "$MASTER" = "" ]; then
echo "Master not found..."
echo "Sleeping 5 seconds for redis pods to come up..."
echo "Waiting 5 seconds for redis pods to come up..."
sleep 5
MASTER=
else
echo "Master found at $MASTER..."
foundMaster=$true
foundMaster=true
break
fi
fi
done
if [ $foundMaster == $true ]; then
if [ "$foundMaster" == "true" ]; then
break
else
echo "Master not found, sleep for 30s before attempting again"
echo "Master not found, wait for 30s before attempting again"
sleep 30
fi
done
Expand Down
43 changes: 19 additions & 24 deletions pkg/modules/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1093,8 +1093,8 @@ func applyDeleteVaultCertificates(ctx context.Context, isDeleting bool, cr csmv1
}

// AuthorizationIngress - apply/delete ingress objects
func AuthorizationIngress(ctx context.Context, isDeleting bool, cr csmv1.ContainerStorageModule, r utils.ReconcileCSM, ctrlClient crclient.Client) error {
ingress, err := createIngress(cr)
func AuthorizationIngress(ctx context.Context, isDeleting, isOpenShift bool, cr csmv1.ContainerStorageModule, r utils.ReconcileCSM, ctrlClient crclient.Client) error {
ingress, err := createIngress(isOpenShift, cr)
if err != nil {
return fmt.Errorf("creating ingress: %v", err)
}
Expand All @@ -1109,13 +1109,11 @@ func AuthorizationIngress(ctx context.Context, isDeleting bool, cr csmv1.Contain
return fmt.Errorf("marshaling ingress: %v", err)
}

for _, m := range cr.Spec.Modules {
// Wait for NGINX ingress controller to be ready before creating Ingresses
// Needed for Kubernetes only
if !isDeleting && !m.OpenShift {
if err := utils.WaitForNginxController(ctx, cr, r, time.Duration(10)*time.Second); err != nil {
return fmt.Errorf("NGINX ingress controller is not ready: %v", err)
}
// Wait for NGINX ingress controller to be ready before creating Ingresses
// Needed for Kubernetes only
if !isDeleting && !isOpenShift {
if err := utils.WaitForNginxController(ctx, cr, r, time.Duration(10)*time.Second); err != nil {
return fmt.Errorf("NGINX ingress controller is not ready: %v", err)
}
}

Expand Down Expand Up @@ -1409,18 +1407,18 @@ func createSelfSignedCertificate(cr csmv1.ContainerStorageModule, hosts []string
return certificate
}

func createIngress(cr csmv1.ContainerStorageModule) (*networking.Ingress, error) {
func createIngress(isOpenShift bool, cr csmv1.ContainerStorageModule) (*networking.Ingress, error) {
authModule, err := getAuthorizationModule(cr)
if err != nil {
return nil, err
}

className, err := getClassName(cr)
className, err := getClassName(isOpenShift, cr)
if err != nil {
return nil, fmt.Errorf("getting ingress class name: %v", err)
}

annotations, err := getAnnotations(cr)
annotations, err := getAnnotations(isOpenShift, cr)
if err != nil {
return nil, fmt.Errorf("getting annotations: %v", err)
}
Expand Down Expand Up @@ -1469,17 +1467,16 @@ func createIngress(cr csmv1.ContainerStorageModule) (*networking.Ingress, error)
return &ingress, nil
}

func getAnnotations(cr csmv1.ContainerStorageModule) (map[string]string, error) {
func getAnnotations(isOpenShift bool, cr csmv1.ContainerStorageModule) (map[string]string, error) {
authModule, err := getAuthorizationModule(cr)
if err != nil {
return nil, err
}

annotations := make(map[string]string)
for _, m := range cr.Spec.Modules {
if m.OpenShift {
annotations["route.openshift.io/termination"] = "edge"
}

if isOpenShift {
annotations["route.openshift.io/termination"] = "edge"
}

for _, component := range authModule.Components {
Expand Down Expand Up @@ -1517,7 +1514,7 @@ func getHosts(cr csmv1.ContainerStorageModule) ([]string, error) {
return hosts, nil
}

func getClassName(cr csmv1.ContainerStorageModule) (string, error) {
func getClassName(isOpenShift bool, cr csmv1.ContainerStorageModule) (string, error) {
authModule, err := getAuthorizationModule(cr)
if err != nil {
return "", err
Expand All @@ -1526,12 +1523,10 @@ func getClassName(cr csmv1.ContainerStorageModule) (string, error) {
for _, component := range authModule.Components {
if component.Name == AuthProxyServerComponent {
for _, proxyServerIngress := range component.ProxyServerIngress {
for _, m := range cr.Spec.Modules {
if !m.OpenShift {
proxyIngressClassName = proxyServerIngress.IngressClassName
} else {
proxyIngressClassName = "openshift-default"
}
if !isOpenShift {
proxyIngressClassName = proxyServerIngress.IngressClassName
} else {
proxyIngressClassName = "openshift-default"
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/modules/authorization_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -951,7 +951,7 @@ func TestAuthorizationIngress(t *testing.T) {
Client: sourceClient,
K8sClient: fake.NewSimpleClientset(),
}
err := AuthorizationIngress(context.TODO(), isDeleting, cr, &fakeReconcile, sourceClient)
err := AuthorizationIngress(context.TODO(), isDeleting, true, cr, &fakeReconcile, sourceClient)
if success {
assert.NoError(t, err)
} else {
Expand Down
Loading

0 comments on commit c99c186

Please sign in to comment.