diff --git a/api/v1/types.go b/api/v1/types.go index e8b8e13f1..563b80381 100644 --- a/api/v1/types.go +++ b/api/v1/types.go @@ -356,6 +356,26 @@ type ContainerTemplate struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Redis storage class" RedisStorageClass string `json:"storageclass,omitempty" yaml:"storageclass,omitempty"` + // VaultAddress is the address of the vault + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Address" + VaultAddress string `json:"vaultAddress,omitempty" yaml:"vaultAddress,omitempty"` + + // RedisName is the name of the redis statefulset + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis StatefulSet Name" + RedisName string `json:"redisName,omitempty" yaml:"redisName,omitempty"` + + // RedisCommander is the name of the redis deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Name" + RedisCommander string `json:"redisCommander,omitempty" yaml:"redisCommander,omitempty"` + + // RedisReplicas is the number of replicas for the redis deployment + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis Deployment Replicas" + RedisReplicas int `json:"redisReplicas,omitempty" yaml:"redisReplicas,omitempty"` + + // Sentinel is the name of the sentinel statefulSet + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Sentinel StatefulSet Name" + Sentinel string `json:"sentinel,omitempty" yaml:"sentinel,omitempty"` + // ReplicaCount is the replica count for app mobility // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Application Mobility Replica Count" ReplicaCount string `json:"replicaCount,omitempty" yaml:"replicaCount,omitempty"` diff --git a/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml b/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml index 49ccf6402..e90e1a2ed 100644 --- a/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml +++ b/config/crd/bases/storage.dell.com_apexconnectivityclients.yaml @@ -295,12 +295,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -355,6 +368,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -613,12 +629,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -673,6 +702,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -916,12 +948,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -976,6 +1021,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in diff --git a/config/crd/bases/storage.dell.com_containerstoragemodules.yaml b/config/crd/bases/storage.dell.com_containerstoragemodules.yaml index bac00843b..6509254cb 100644 --- a/config/crd/bases/storage.dell.com_containerstoragemodules.yaml +++ b/config/crd/bases/storage.dell.com_containerstoragemodules.yaml @@ -299,12 +299,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -359,6 +372,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -602,12 +618,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -662,6 +691,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -928,12 +960,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -988,6 +1033,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1227,12 +1275,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the + redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1287,6 +1348,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1534,12 +1598,25 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1594,6 +1671,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -1866,6 +1946,16 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility @@ -1873,6 +1963,9 @@ spec: roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1927,6 +2020,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in @@ -2184,6 +2280,16 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for + the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility @@ -2191,6 +2297,9 @@ spec: roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -2245,6 +2354,9 @@ spec: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in diff --git a/deploy/crds/storage.dell.com.crds.all.yaml b/deploy/crds/storage.dell.com.crds.all.yaml index 9842a6f45..c8b1572be 100644 --- a/deploy/crds/storage.dell.com.crds.all.yaml +++ b/deploy/crds/storage.dell.com.crds.all.yaml @@ -265,12 +265,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -322,6 +334,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -546,12 +561,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -603,6 +630,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -816,12 +846,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -873,6 +915,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1176,12 +1221,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1233,6 +1290,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1446,12 +1506,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1503,6 +1575,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -1735,12 +1810,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -1792,6 +1879,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2003,12 +2093,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -2060,6 +2162,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2276,12 +2381,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -2333,6 +2450,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2570,12 +2690,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -2627,6 +2759,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string @@ -2849,12 +2984,24 @@ spec: redis: description: Redis is the image tag for the Container type: string + redisCommander: + description: RedisCommander is the name of the redis deployment + type: string + redisName: + description: RedisName is the name of the redis statefulset + type: string + redisReplicas: + description: RedisReplicas is the number of replicas for the redis deployment + type: integer replicaCount: description: ReplicaCount is the replica count for app mobility type: string roleService: description: RoleService is the image tag for the Container type: string + sentinel: + description: Sentinel is the name of the sentinel statefulSet + type: string storageService: description: StorageService is the image tag for the Container type: string @@ -2906,6 +3053,9 @@ spec: useVolumeSnapshot: description: UseSnapshot is to check whether volume snapshot is enabled under velero component type: boolean + vaultAddress: + description: VaultAddress is the address of the vault + type: string veleroNamespace: description: VeleroNamespace is the namespace that Velero is installed in type: string diff --git a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml index 344d0258f..d48c19d18 100644 --- a/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml @@ -303,7 +303,7 @@ spec: name: grpc --- # Redis -apiVersion: apps/v1 +apiVersion: apps/v1 kind: Deployment metadata: name: redis-primary diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml index 344d0258f..388e7b2e8 100644 --- a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml @@ -1,4 +1,44 @@ +apiVersion: v1 +kind: Secret +metadata: + name: redis-csm-secret + namespace: +type: kubernetes.io/basic-auth +stringData: + password: K@ravi123! +--- # Proxy service +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-server + namespace: +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +subjects: + - kind: ServiceAccount + name: proxy-server + namespace: +roleRef: + kind: ClusterRole + name: proxy-server + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -17,12 +57,22 @@ spec: csm: app: proxy-server spec: + serviceAccount: proxy-server containers: - name: proxy-server image: imagePullPolicy: Always + env: + - name: SENTINELS + value: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password args: - - "--redis-host=redis..svc.cluster.local:6379" + - "--redis-sentinel=$(SENTINELS)" + - "--redis-password=$(REDIS_PASSWORD)" - "--tenant-service=tenant-service..svc.cluster.local:50051" - "--role-service=role-service..svc.cluster.local:50051" - "--storage-service=storage-service..svc.cluster.local:50051" @@ -100,8 +150,17 @@ spec: - name: tenant-service image: imagePullPolicy: Always + env: + - name: SENTINELS + value: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password args: - - "--redis-host=redis..svc.cluster.local:6379" + - "--redis-sentinel=$(SENTINELS)" + - "--redis-password=$(REDIS_PASSWORD)" ports: - containerPort: 50051 name: grpc @@ -242,6 +301,20 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: storage-service-tokenreview-binding + namespace: +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: storage-service + namespace: +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -265,6 +338,10 @@ spec: - name: storage-service image: imagePullPolicy: Always + args: + - "--vault-address=" + - "--vault-kv-engine-path=secret" + - "--vault-skip-certificate-validation=true" ports: - containerPort: 50051 name: grpc @@ -272,22 +349,24 @@ spec: - name: NAMESPACE value: volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - name: config-volume mountPath: /etc/karavi-authorization/config - name: csm-config-params mountPath: /etc/karavi-authorization/csm-config-params + - name: vault-client-certificate + mountPath: /etc/vault volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - name: config-volume secret: secretName: karavi-config-secret - name: csm-config-params configMap: name: csm-config-params + - name: vault-client-certificate + projected: + sources: + - secret: + name: storage-service-selfsigned-tls --- apiVersion: v1 kind: Service @@ -302,91 +381,178 @@ spec: targetPort: 50051 name: grpc --- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: storage-service-selfsigned + namespace: +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: storage-service-selfsigned + namespace: +spec: + secretName: storage-service-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + dnsNames: + - csm-authorization-storage-service + issuerRef: + name: storage-service-selfsigned + kind: Issuer + group: cert-manager.io +--- # Redis -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Service metadata: - name: redis-primary + name: namespace: - labels: - app: redis spec: + type: + clusterIP: None + selector: + app: + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 + name: +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: + namespace: +spec: + serviceName: + replicas: selector: matchLabels: - app: redis - role: primary - tier: backend - replicas: 1 + app: template: metadata: labels: csm: - app: redis - role: primary - tier: backend + app: spec: + initContainers: + - name: config + image: + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + + command: [ "sh", "-c" ] + args: + - | + cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf + + echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf + echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf + + echo "Finding master..." + MASTER_FDQN=`hostname -f | sed -e 's/redis-csm-[0-9]\./redis-csm-0./'` + echo "Master at " $MASTER_FQDN + if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then + echo "No sentinel found." + + if [ "$(hostname)" = "redis-csm-0" ]; then + echo "This is redis master, not updating config..." + else + echo "This is redis slave, updating redis.conf..." + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + else + echo "Sentinel found, finding master" + MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ containers: - - name: primary + - name: image: - imagePullPolicy: IfNotPresent - args: ["--appendonly", "yes", "--appendfsync", "always"] - resources: - requests: - cpu: 100m - memory: 100Mi + command: [ "redis-server" ] + args: [ "/etc/redis/redis.conf" ] ports: - containerPort: 6379 + name: volumeMounts: - - name: redis-primary-volume - mountPath: /data - volumes: - name: redis-primary-volume - persistentVolumeClaim: - claimName: redis-primary-pv-claim ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: redis-primary-pv-claim - namespace: - labels: - app: redis-primary -spec: - accessModes: - - ReadWriteOnce - storageClassName: - resources: - requests: - storage: 8Gi + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + volumes: + - name: redis-primary-volume + emptyDir: {} + - name: config + emptyDir: {} + - name: configmap + configMap: + name: redis-csm-cm --- apiVersion: apps/v1 kind: Deployment metadata: - name: redis-commander + name: namespace: spec: replicas: 1 selector: matchLabels: - app: redis-commander + app: template: metadata: labels: csm: - app: redis-commander + app: tier: backend spec: containers: - - name: redis-commander + - name: image: imagePullPolicy: IfNotPresent env: - - name: REDIS_HOSTS - value: "rbac:redis..svc.cluster.local:6379" + - name: SENTINELS + value: - name: K8S_SIGTERM value: "1" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password ports: - - name: redis-commander + - name: containerPort: 8081 livenessProbe: httpGet: @@ -409,28 +575,137 @@ spec: apiVersion: v1 kind: Service metadata: - name: redis + name: namespace: spec: selector: - app: redis + app: ports: - protocol: TCP - port: 6379 - targetPort: 6379 + port: 8081 + targetPort: 8081 +--- +# Sentinel +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: + namespace: +spec: + serviceName: + replicas: + selector: + matchLabels: + app: + template: + metadata: + labels: + csm: + app: + spec: + initContainers: + - name: config + image: + command: [ "sh", "-c" ] + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - | + replicas=$( expr $(()) - 1) + for i in $(seq 0 $replicas) + do + node=$( echo "-$i." ) + nodes=$( echo "$nodes*$node" ) + done + loop=$(echo $nodes | sed -e "s/"*"/\n/g") + + for i in $loop + do + echo "Finding master at $i" + ROLE=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep role | cut -d ":" -f2) + if [ "$ROLE" = "master" ]; then + MASTER=$i.authorization.svc.cluster.local + echo "Master found at $MASTER..." + break + else + MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) + if [ "$MASTER" = "" ]; then + echo "Master not found..." + echo "Sleeping 5 seconds for pods to come up..." + sleep 5 + MASTER= + else + echo "Master found at $MASTER..." + break + fi + fi + done + + echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master + echo "port 5000 + sentinel resolve-hostnames yes + sentinel announce-hostnames yes + $(cat /tmp/master) + sentinel down-after-milliseconds mymaster 5000 + sentinel failover-timeout mymaster 60000 + sentinel parallel-syncs mymaster 2 + sentinel auth-pass mymaster $REDIS_PASSWORD + " > /etc/redis/sentinel.conf + cat /etc/redis/sentinel.conf + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + containers: + - name: + image: + command: ["redis-sentinel"] + args: ["/etc/redis/sentinel.conf"] + ports: + - containerPort: 5000 + name: + volumeMounts: + - name: redis-config + mountPath: /etc/redis/ + - name: data + mountPath: /data + volumes: + - name: redis-config + emptyDir: {} + - name: data + emptyDir : {} --- apiVersion: v1 kind: Service metadata: - name: redis-commander + name: namespace: spec: + clusterIP: None + ports: + - port: 5000 + targetPort: 5000 + name: selector: - app: redis-commander + app: +--- +apiVersion: v1 +kind: Service +metadata: + name: -svc + namespace: +spec: + type: NodePort ports: - - protocol: TCP - port: 8081 - targetPort: 8081 + - port: 5000 + targetPort: 5000 + nodePort: 32003 + name: -svc + selector: + app: --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml index 0e7dc16bb..e026b96ba 100644 --- a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml +++ b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/policies.yaml @@ -263,3 +263,12 @@ data: claims == {} msg := sprintf("missing claims", []) } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: redis-csm-cm + namespace: authorization + +data: + redis.conf: | \ No newline at end of file diff --git a/pkg/modules/authorization.go b/pkg/modules/authorization.go index f33247b95..4449564f2 100644 --- a/pkg/modules/authorization.go +++ b/pkg/modules/authorization.go @@ -83,6 +83,19 @@ const ( // AuthProxyIngressHost - AuthProxyIngressHost = "" + // AuthVaultAddress - + AuthVaultAddress = "" + // AuthRedisName - + AuthRedisName = "" + // AuthRedisCommander - + AuthRedisCommander = "" + // AuthRedisSentinel - + AuthRedisSentinel = "" + // AuthRedisSentinelValues - + AuthRedisSentinelValues = "" + // AuthRedisReplicas - + AuthRedisReplicas = "" + // AuthCert - for tls secret AuthCert = "" // AuthPrivateKey - for tls secret @@ -98,6 +111,8 @@ const ( AuthCertManagerComponent = "cert-manager" // AuthRedisComponent - redis component AuthRedisComponent = "redis" + // AuthVaultComponent - vault component + AuthVaultComponent = "vault" // AuthLocalStorageClass - AuthLocalStorageClass = "csm-authorization-local-storage" @@ -499,6 +514,17 @@ func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.Containe if component.Name == AuthRedisComponent { YamlString = strings.ReplaceAll(YamlString, AuthRedisImage, component.Redis) YamlString = strings.ReplaceAll(YamlString, AuthRedisCommanderImage, component.Commander) + YamlString = strings.ReplaceAll(YamlString, AuthRedisName, component.RedisName) + YamlString = strings.ReplaceAll(YamlString, AuthRedisCommander, component.RedisCommander) + YamlString = strings.ReplaceAll(YamlString, AuthRedisSentinel, component.Sentinel) + YamlString = strings.ReplaceAll(YamlString, AuthRedisReplicas, strconv.Itoa(component.RedisReplicas)) + + var sentinelValues []string + for i := 0; i < component.RedisReplicas; i++ { + sentinelValues = append(sentinelValues, fmt.Sprintf("sentinel-%d.sentinel.%s.svc.cluster.local:5000", i, authNamespace)) + } + sentinels := strings.Join(sentinelValues, ", ") + YamlString = strings.ReplaceAll(YamlString, AuthRedisSentinelValues, sentinels) if component.RedisStorageClass == "" { redisStorageClass = AuthLocalStorageClass @@ -506,6 +532,10 @@ func getAuthorizationServerDeployment(op utils.OperatorConfig, cr csmv1.Containe redisStorageClass = component.RedisStorageClass } } + + if component.Name == AuthVaultComponent { + YamlString = strings.ReplaceAll(YamlString, AuthVaultAddress, component.VaultAddress) + } } YamlString = strings.ReplaceAll(YamlString, AuthNamespace, authNamespace) diff --git a/pkg/modules/testdata/cr_auth_proxy.yaml b/pkg/modules/testdata/cr_auth_proxy.yaml index 97090ff03..e01857396 100644 --- a/pkg/modules/testdata/cr_auth_proxy.yaml +++ b/pkg/modules/testdata/cr_auth_proxy.yaml @@ -77,12 +77,19 @@ spec: - name: redis redis: redis:6.0.8-alpine commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None storageclass: "local-storage" + - name: vault + vaultAddress: https://10.0.0.1:8400 + --- apiVersion: v1 kind: ConfigMap diff --git a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml index 737b18c4c..225637121 100644 --- a/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml +++ b/pkg/modules/testdata/cr_auth_proxy_no_redis.yaml @@ -75,14 +75,21 @@ spec: annotations: {} - name: redis - redis: redis:6.0.8-alpine + redis: redis:7.2.4-alpine commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None storageclass: "" + - name: vault + vaultAddress: https://10.0.0.1:8400 + --- apiVersion: v1 kind: ConfigMap diff --git a/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml index f8dafdd85..07a0bc2eb 100644 --- a/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml +++ b/samples/authorization/csm_authorization_proxy_server_v200-alpha.yaml @@ -75,14 +75,21 @@ spec: annotations: {} - name: redis - redis: redis:6.0.8-alpine + redis: redis:7.2.4-alpine commander: rediscommander/redis-commander:latest + redisName: redis-csm + redisCommander: redicommander + sentinel: sentinel + redisReplicas: 5 # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis # to use a different storage class for redis, specify the name of the storage class # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization # Default value: None storageclass: "" + - name: vault + vaultAddress: https://10.0.0.1:8400 + --- apiVersion: v1 kind: ConfigMap diff --git a/tests/e2e/go.sum b/tests/e2e/go.sum index a9cb6fc0e..f218da691 100644 --- a/tests/e2e/go.sum +++ b/tests/e2e/go.sum @@ -239,8 +239,6 @@ go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc= @@ -254,8 +252,6 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= @@ -271,12 +267,8 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -310,8 +302,6 @@ google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=