AuthConfig conversion webhook (#137)

* AuthConfig conversion webhook Deploys the AuthConfig CRD conversion webhook (based on the Authorino container image), as part of deploying the Operator. This is because the conversion webhook is a single deployment per cluster (similarly to the Operator itself), nevertheless it's based on the Authorino code base (which owns the AuthConfig type and therefore the functions to convert between versions of the CRD). This change introduces a dependency of the Operator on cert-manager (https://cert-manager.io). * Script to install the operator + deps without having to clone the repo, nor depending on OLM * Update Authorino manifests
Kuadrant · Sep 19, 2023 · 261466d · 261466d
1 parent 75b9f81
commit 261466d
Show file tree

Hide file tree

Showing 14 changed files with 6,096 additions and 91 deletions.
diff --git a/Makefile b/Makefile
@@ -137,6 +137,7 @@ manifests: controller-gen kustomize authorino-manifests ## Generate WebhookConfi
 
 .PHONY: authorino-manifests
 authorino-manifests: export AUTHORINO_GITREF := $(AUTHORINO_BRANCH)
+authorino-manifests: export AUTHORINO_VERSION := $(AUTHORINO_VERSION)
 authorino-manifests: ## Update authorino manifests.
 	envsubst \
         < config/authorino/kustomization.template.yaml \

diff --git a/bundle/manifests/authorino-operator.clusterserviceversion.yaml b/bundle/manifests/authorino-operator.clusterserviceversion.yaml
@@ -43,6 +43,9 @@ spec:
       kind: AuthConfig
       name: authconfigs.authorino.kuadrant.io
       version: v1beta1
+    - kind: AuthConfig
+      name: authconfigs.authorino.kuadrant.io
+      version: v1beta2
     - description: API to create instances of authorino
       displayName: Authorino
       kind: Authorino
@@ -280,6 +283,45 @@ spec:
                 runAsNonRoot: true
               serviceAccountName: authorino-operator
               terminationGracePeriodSeconds: 10
+      - label:
+          app: authorino
+          authorino-component: authorino-webhooks
+        name: authorino-webhooks
+        spec:
+          selector:
+            matchLabels:
+              app: authorino
+              authorino-component: authorino-webhooks
+          strategy: {}
+          template:
+            metadata:
+              labels:
+                app: authorino
+                authorino-component: authorino-webhooks
+            spec:
+              containers:
+              - command:
+                - authorino
+                - webhooks
+                image: quay.io/kuadrant/authorino:latest
+                name: webhooks
+                ports:
+                - containerPort: 9443
+                  name: webhooks
+                - containerPort: 8080
+                  name: metrics
+                - containerPort: 8081
+                  name: healthz
+                resources: {}
+                volumeMounts:
+                - mountPath: /tmp/k8s-webhook-server/serving-certs
+                  name: cert
+                  readOnly: true
+              volumes:
+              - name: cert
+                secret:
+                  defaultMode: 420
+                  secretName: authorino-webhook-server-cert
       permissions:
       - rules:
         - apiGroups:
@@ -314,6 +356,47 @@ spec:
           - create
           - patch
         serviceAccountName: authorino-operator
+      - rules:
+        - apiGroups:
+          - authorino.kuadrant.io
+          resources:
+          - authconfigs
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - authorino.kuadrant.io
+          resources:
+          - authconfigs/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - create
+          - get
+          - list
+          - update
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          - events
+          verbs:
+          - create
+          - get
+          - list
+          - update
+        serviceAccountName: default
     strategy: deployment
   installModes:
   - supported: false
@@ -347,3 +430,16 @@ spec:
   provider:
     name: Red Hat
   version: 0.0.0
+  webhookdefinitions:
+  - admissionReviewVersions:
+    - v1beta1
+    - v1beta2
+    containerPort: 443
+    conversionCRDs:
+    - authconfigs.authorino.kuadrant.io
+    deploymentName: authorino-webhooks
+    generateName: cauthconfigs.kb.io
+    sideEffects: None
+    targetPort: 9443
+    type: ConversionWebhook
+    webhookPath: /convert
diff --git a/bundle/manifests/authorino-webhooks_v1_service.yaml b/bundle/manifests/authorino-webhooks_v1_service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app: authorino
+    authorino-component: authorino-webhooks
+  name: authorino-webhooks
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app: authorino
+    authorino-component: authorino-webhooks
+status:
+  loadBalancer: {}