From 134313a07296dc7928ab4d7b753a6869ca644996 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Mon, 11 Dec 2023 14:13:34 -0600 Subject: [PATCH 01/28] feat(authz): Authorino for Service Mesh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io/opendatahub-operator#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- .../v1/zz_generated.deepcopy.go | 2 +- components/kserve/kserve.go | 49 ++++++++++++ components/kserve/serverless_setup.go | 5 +- ...ion.opendatahub.io_dscinitializations.yaml | 42 ++++++++++ config/rbac/role.yaml | 48 +++++++++++ .../datasciencecluster/kubebuilder_rbac.go | 30 ++++--- .../dscinitialization/servicemesh_setup.go | 47 ++++++++++- infrastructure/v1/servicemesh_types.go | 30 +++++++ infrastructure/v1/zz_generated.deepcopy.go | 37 +++++++++ pkg/cluster/cluster_config.go | 27 +++++++ pkg/deploy/setup.go | 14 ++++ pkg/feature/feature.go | 10 +++ pkg/feature/manifest.go | 7 ++ pkg/feature/serverless/loaders.go | 3 +- pkg/feature/serverless/resources.go | 21 ----- pkg/feature/servicemesh/cleanup.go | 60 ++++++++++++++ pkg/feature/servicemesh/loaders.go | 20 +++++ pkg/feature/servicemesh/resources.go | 31 ++++++++ .../servicemesh/authorino/auth-smm.tmpl | 10 +++ .../base/operator-cluster-wide-no-tls.tmpl | 15 ++++ .../authorino/deployment.injection.patch.tmpl | 10 +++ .../mesh-authz-ext-provider.patch.tmpl | 13 +++ .../kserve/activator-envoyfilter.tmpl | 42 ++++++++++ .../kserve/envoy-oauth-temp-fix.tmpl | 79 +++++++++++++++++++ .../kserve/grpc-authorizationpolicy.tmpl | 19 +++++ 25 files changed, 628 insertions(+), 43 deletions(-) create mode 100644 pkg/cluster/cluster_config.go create mode 100644 pkg/feature/servicemesh/cleanup.go create mode 100644 pkg/feature/servicemesh/loaders.go create mode 100644 pkg/feature/servicemesh/resources.go create mode 100644 pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl create mode 100644 pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl create mode 100644 pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl create mode 100644 pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl create mode 100644 pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl create mode 100644 pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl create mode 100644 pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl diff --git a/apis/dscinitialization/v1/zz_generated.deepcopy.go b/apis/dscinitialization/v1/zz_generated.deepcopy.go index 800f45905ed..ae1f71e7fe8 100644 --- a/apis/dscinitialization/v1/zz_generated.deepcopy.go +++ b/apis/dscinitialization/v1/zz_generated.deepcopy.go @@ -90,7 +90,7 @@ func (in *DSCInitializationList) DeepCopyObject() runtime.Object { func (in *DSCInitializationSpec) DeepCopyInto(out *DSCInitializationSpec) { *out = *in out.Monitoring = in.Monitoring - out.ServiceMesh = in.ServiceMesh + in.ServiceMesh.DeepCopyInto(&out.ServiceMesh) if in.DevFlags != nil { in, out := &in.DevFlags, &out.DevFlags *out = new(DevFlags) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 99d14c2563e..8f472c457a1 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -4,6 +4,7 @@ package kserve import ( "context" "fmt" + "path" "path/filepath" "strings" @@ -19,6 +20,7 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/monitoring" ) @@ -163,6 +165,12 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC return err } } + + if enabled { + if err := k.configureServiceMesh(cli, dscispec); err != nil { + return err + } + } return nil } @@ -229,3 +237,44 @@ func checkDepedentOps(cli client.Client) *multierror.Error { } return multiErr } + +func (k *Kserve) configureServiceMesh(cli client.Client, dscispec *dsciv1.DSCInitializationSpec) error { + shouldConfigureServiceMesh, err := deploy.ShouldConfigureServiceMesh(cli, dscispec) + if err != nil { + return err + } + + if shouldConfigureServiceMesh { + serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec)) + + if err := serviceMeshInitializer.Prepare(); err != nil { + return err + } + + if err := serviceMeshInitializer.Apply(); err != nil { + return err + } + } + + return nil +} + +func (k *Kserve) defineServiceMeshFeatures(dscispec *dsciv1.DSCInitializationSpec) feature.DefinedFeatures { + return func(s *feature.FeaturesInitializer) error { + kserve, err := feature.CreateFeature("configure-kserve-for-external-authz"). + For(dscispec). + Manifests( + path.Join(feature.KServeDir), + ). + WithData(servicemesh.ClusterDetails). + Load() + + if err != nil { + return err + } + + s.Features = append(s.Features, kserve) + + return nil + } +} diff --git a/components/kserve/serverless_setup.go b/components/kserve/serverless_setup.go index 83d2b6cf877..0402256dd60 100644 --- a/components/kserve/serverless_setup.go +++ b/components/kserve/serverless_setup.go @@ -11,14 +11,13 @@ import ( const ( knativeServingNamespace = "knative-serving" - templatesDir = "templates/serverless" ) func (k *Kserve) configureServerlessFeatures(s *feature.FeaturesInitializer) error { servingDeployment, err := feature.CreateFeature("serverless-serving-deployment"). For(s.DSCInitializationSpec). Manifests( - path.Join(templatesDir, "serving-install"), + path.Join(feature.ServerlessDir, "serving-install"), ). WithData(PopulateComponentSettings(k)). PreConditions( @@ -49,7 +48,7 @@ func (k *Kserve) configureServerlessFeatures(s *feature.FeaturesInitializer) err ). WithResources(serverless.ServingCertificateResource). Manifests( - path.Join(templatesDir, "serving-istio-gateways"), + path.Join(feature.ServerlessDir, "serving-istio-gateways"), ). Load() if err != nil { diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index 6e701ec8895..c4cd9c25a76 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -89,6 +89,48 @@ spec: user experience; e.g. it provides unified authentication giving a Single Sign On experience. properties: + auth: + description: Auth holds configuration of authentication and authorization + services used by Service Mesh in Opendatahub. + properties: + authorino: + description: Authorino holds configuration of Authorino service + used as external authorization provider. + properties: + audiences: + default: + - https://kubernetes.default.svc + description: Audiences is a list of the identifiers that + the resource server presented with the token identifies + as. Audience-aware token authenticators will verify + that the token was intended for at least one of the + audiences in this list. If no audiences are provided, + the audience will default to the audience of the Kubernetes + apiserver (kubernetes.default.svc). + items: + type: string + type: array + image: + default: quay.io/kuadrant/authorino:v0.16.0 + description: Image allows to define a custom container + image to be used when deploying Authorino's instance. + type: string + label: + default: authorino/topic=odh + description: Label narrows amount of AuthConfigs to process + by Authorino service. + type: string + name: + default: authorino-mesh-authz-provider + description: Name specifies how external authorization + provider should be called. + type: string + type: object + namespace: + default: auth-provider + description: Namespace where it is deployed. + type: string + type: object controlPlane: description: ControlPlane holds configuration of Service Mesh used by Opendatahub. diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 3f8ca1b894a..4b1ae6cddc3 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -116,6 +116,30 @@ rules: - statefulsets verbs: - '*' +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs/instantiate + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - argoproj.io resources: @@ -128,6 +152,12 @@ rules: - tokenreviews verbs: - create +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - '*' - apiGroups: - authorization.k8s.io resources: @@ -945,6 +975,12 @@ rules: - deletecollection - get - patch +- apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - '*' - apiGroups: - networking.istio.io resources: @@ -1025,6 +1061,12 @@ rules: - patch - update - watch +- apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - '*' - apiGroups: - operator.knative.dev resources: @@ -1165,6 +1207,12 @@ rules: - patch - update - watch +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - '*' - apiGroups: - security.openshift.io resources: diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go index cb77179179b..56f20347e5a 100644 --- a/controllers/datasciencecluster/kubebuilder_rbac.go +++ b/controllers/datasciencecluster/kubebuilder_rbac.go @@ -4,14 +4,25 @@ package datasciencecluster //+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters/finalizers,verbs=update;patch //+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters,verbs=get;list;watch;create;update;patch;delete -/* Service Mesh prerequisite */ -// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch - /* Serverless prerequisite */ // +kubebuilder:rbac:groups="networking.istio.io",resources=gateways,verbs=* // +kubebuilder:rbac:groups="operator.knative.dev",resources=knativeservings,verbs=* // +kubebuilder:rbac:groups="config.openshift.io",resources=ingresses,verbs=get +/* Service Mesh Integration */ +// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch +// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmemberrolls,verbs=create;get;list;patch;update;use;watch +// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers,verbs=create;get;list;patch;update;use;watch +// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers/finalizers,verbs=create;get;list;patch;update;use;watch +// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch;delete +// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=* +// +kubebuilder:rbac:groups="networking.istio.io",resources=gateways,verbs=* +// +kubebuilder:rbac:groups="networking.istio.io",resources=envoyfilters,verbs=* +// +kubebuilder:rbac:groups="security.istio.io",resources=authorizationpolicies,verbs=* +// +kubebuilder:rbac:groups="authorino.kuadrant.io",resources=authconfigs,verbs=* +// +kubebuilder:rbac:groups="operator.authorino.kuadrant.io",resources=authorinos,verbs=* + /* This is for DSP */ //+kubebuilder:rbac:groups="datasciencepipelinesapplications.opendatahub.io",resources=datasciencepipelinesapplications/status,verbs=update;patch;get //+kubebuilder:rbac:groups="datasciencepipelinesapplications.opendatahub.io",resources=datasciencepipelinesapplications/finalizers,verbs=update;patch @@ -93,10 +104,6 @@ package datasciencecluster // +kubebuilder:rbac:groups="networking.k8s.io",resources=networkpolicies,verbs=get;create;list;watch;delete;update;patch // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=create;delete;list;update;watch;patch;get -// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch;delete -// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/finalizers,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=* - // +kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors,verbs=get;create;delete;update;watch;list;patch;deletecollection // +kubebuilder:rbac:groups="monitoring.coreos.com",resources=podmonitors,verbs=get;create;delete;update;watch;list;patch // +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheusrules,verbs=get;create;patch;delete;deletecollection @@ -199,7 +206,6 @@ package datasciencecluster // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch -// OpenVino still need buildconfig // +kubebuilder:rbac:groups="build.openshift.io",resources=builds,verbs=create;patch;delete;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs/instantiate,verbs=create;patch;delete;get;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs,verbs=list;watch;create;patch;delete @@ -230,6 +236,9 @@ package datasciencecluster // +kubebuilder:rbac:groups="*",resources=deployments,verbs=* // +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=* +// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete + // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch;delete // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete;patch @@ -244,11 +253,6 @@ package datasciencecluster // +kubebuilder:rbac:groups="*",resources=customresourcedefinitions,verbs=get;list;watch -// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch -// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmemberrolls,verbs=create;get;list;patch;update;use;watch -// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers,verbs=create;get;list;patch;update;use;watch -// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers/finalizers,verbs=create;get;list;patch;update;use;watch - /* Only for RHODS */ // +kubebuilder:rbac:groups="user.openshift.io",resources=groups,verbs=get;create;list;watch;patch;delete // +kubebuilder:rbac:groups="console.openshift.io",resources=consolelinks,verbs=create;get;patch;delete diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index e9250d57922..70259f21053 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -11,8 +11,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh" ) -const templatesDir = "templates/servicemesh" - func (r *DSCInitializationReconciler) configureServiceMesh(instance *dsciv1.DSCInitialization) error { switch instance.Spec.ServiceMesh.ManagementState { case operatorv1.Managed: @@ -69,7 +67,7 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error { smcpCreation, errSmcp := feature.CreateFeature("mesh-control-plane-creation"). For(s.DSCInitializationSpec). Manifests( - path.Join(templatesDir, "base", "create-smcp.tmpl"), + path.Join(feature.ServiceMeshDir, "base", "create-smcp.tmpl"), ). PreConditions( servicemesh.EnsureServiceMeshOperatorInstalled, @@ -91,7 +89,7 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error { servicemesh.EnsureServiceMeshInstalled, ). Manifests( - path.Join(templatesDir, "metrics-collection"), + path.Join(feature.ServiceMeshDir, "metrics-collection"), ). Load() if errMetrics != nil { @@ -100,5 +98,46 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error { s.Features = append(s.Features, metricsCollection) } + cfMaps, cfgMapErr := feature.CreateFeature("shared-config-maps"). + For(s.DSCInitializationSpec). + WithResources(servicemesh.ConfigMaps). + Load() + if cfgMapErr != nil { + return cfgMapErr + } + s.Features = append(s.Features, cfMaps) + + extAuthz, extAuthzErr := feature.CreateFeature("service-mesh-control-plane-setup-external-authorization"). + For(s.DSCInitializationSpec). + Manifests( + path.Join(feature.AuthDir, "auth-smm.tmpl"), + path.Join(feature.AuthDir, "base"), + path.Join(feature.AuthDir, "mesh-authz-ext-provider.patch.tmpl"), + ). + WithData(servicemesh.ClusterDetails). + PreConditions( + feature.EnsureCRDIsInstalled("authconfigs.authorino.kuadrant.io"), + servicemesh.EnsureServiceMeshInstalled, + feature.CreateNamespaceIfNotExists(serviceMeshSpec.Auth.Namespace), + ). + PostConditions( + feature.WaitForPodsToBeReady(serviceMeshSpec.ControlPlane.Namespace), + feature.WaitForPodsToBeReady(serviceMeshSpec.Auth.Namespace), + func(f *feature.Feature) error { + // We do not have the control over deployment resource creation. + // It is created by Authorino operator using Authorino CR + // + // To make it part of Service Mesh we have to patch it with injection + // enabled instead, otherwise it will not have proxy pod injected. + return f.ApplyManifest(path.Join(feature.AuthDir, "deployment.injection.patch.tmpl")) + }, + ). + OnDelete(servicemesh.RemoveExtensionProvider). + Load() + if extAuthzErr != nil { + return extAuthzErr + } + s.Features = append(s.Features, extAuthz) + return nil } diff --git a/infrastructure/v1/servicemesh_types.go b/infrastructure/v1/servicemesh_types.go index 9c093d0c663..0c9e918b6dc 100644 --- a/infrastructure/v1/servicemesh_types.go +++ b/infrastructure/v1/servicemesh_types.go @@ -9,6 +9,9 @@ type ServiceMeshSpec struct { ManagementState operatorv1.ManagementState `json:"managementState,omitempty"` // ControlPlane holds configuration of Service Mesh used by Opendatahub. ControlPlane ControlPlaneSpec `json:"controlPlane,omitempty"` + // Auth holds configuration of authentication and authorization services + // used by Service Mesh in Opendatahub. + Auth AuthSpec `json:"auth,omitempty"` } type ControlPlaneSpec struct { @@ -38,3 +41,30 @@ type IngressGatewaySpec struct { // the for Ingress Gateway. Certificate CertificateSpec `json:"certificate,omitempty"` } + +type AuthSpec struct { + // Namespace where it is deployed. + // +kubebuilder:default=auth-provider + Namespace string `json:"namespace,omitempty"` + // Authorino holds configuration of Authorino service used as external authorization provider. + Authorino AuthorinoSpec `json:"authorino,omitempty"` +} + +type AuthorinoSpec struct { + // Name specifies how external authorization provider should be called. + // +kubebuilder:default=authorino-mesh-authz-provider + Name string `json:"name,omitempty"` + // Audiences is a list of the identifiers that the resource server presented + // with the token identifies as. Audience-aware token authenticators will verify + // that the token was intended for at least one of the audiences in this list. + // If no audiences are provided, the audience will default to the audience of the + // Kubernetes apiserver (kubernetes.default.svc). + // +kubebuilder:default={"https://kubernetes.default.svc"} + Audiences []string `json:"audiences,omitempty"` + // Label narrows amount of AuthConfigs to process by Authorino service. + // +kubebuilder:default=authorino/topic=odh + Label string `json:"label,omitempty"` + // Image allows to define a custom container image to be used when deploying Authorino's instance. + // +kubebuilder:default="quay.io/kuadrant/authorino:v0.16.0" + Image string `json:"image,omitempty"` +} diff --git a/infrastructure/v1/zz_generated.deepcopy.go b/infrastructure/v1/zz_generated.deepcopy.go index efc062e396b..aa0c027157d 100644 --- a/infrastructure/v1/zz_generated.deepcopy.go +++ b/infrastructure/v1/zz_generated.deepcopy.go @@ -23,6 +23,42 @@ package v1 import () +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthSpec) DeepCopyInto(out *AuthSpec) { + *out = *in + in.Authorino.DeepCopyInto(&out.Authorino) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSpec. +func (in *AuthSpec) DeepCopy() *AuthSpec { + if in == nil { + return nil + } + out := new(AuthSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthorinoSpec) DeepCopyInto(out *AuthorinoSpec) { + *out = *in + if in.Audiences != nil { + in, out := &in.Audiences, &out.Audiences + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorinoSpec. +func (in *AuthorinoSpec) DeepCopy() *AuthorinoSpec { + if in == nil { + return nil + } + out := new(AuthorinoSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in @@ -73,6 +109,7 @@ func (in *IngressGatewaySpec) DeepCopy() *IngressGatewaySpec { func (in *ServiceMeshSpec) DeepCopyInto(out *ServiceMeshSpec) { *out = *in out.ControlPlane = in.ControlPlane + in.Auth.DeepCopyInto(&out.Auth) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceMeshSpec. diff --git a/pkg/cluster/cluster_config.go b/pkg/cluster/cluster_config.go new file mode 100644 index 00000000000..9ff2b903e9c --- /dev/null +++ b/pkg/cluster/cluster_config.go @@ -0,0 +1,27 @@ +package cluster + +import ( + "context" + "errors" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/client-go/dynamic" + + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/gvr" +) + +// +kubebuilder:rbac:groups="config.openshift.io",resources=ingresses,verbs=get + +func GetDomain(dynamicClient dynamic.Interface) (string, error) { + cluster, err := dynamicClient.Resource(gvr.OpenshiftIngress).Get(context.TODO(), "cluster", metav1.GetOptions{}) + if err != nil { + return "", err + } + + domain, found, err := unstructured.NestedString(cluster.Object, "spec", "domain") + if !found { + return "", errors.New("spec.domain not found") + } + return domain, err +} diff --git a/pkg/deploy/setup.go b/pkg/deploy/setup.go index 206ef9eab49..febbf754ee7 100644 --- a/pkg/deploy/setup.go +++ b/pkg/deploy/setup.go @@ -4,10 +4,13 @@ import ( "context" "strings" + operatorv1 "github.com/openshift/api/operator/v1" ofapi "github.com/operator-framework/api/pkg/operators/v1alpha1" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" "sigs.k8s.io/controller-runtime/pkg/client" + + dsci "github.com/opendatahub-io/opendatahub-operator/v2/apis/dscinitialization/v1" ) const ( @@ -89,3 +92,14 @@ func GetPlatform(cli client.Client) (Platform, error) { // check and return whether ODH or self-managed platform return isSelfManaged(cli) } + +// ShouldConfigureServiceMesh determines if the operator should invoke service-mesh specific setup. +func ShouldConfigureServiceMesh(cli client.Client, dscispec *dsci.DSCInitializationSpec) (bool, error) { + platform, err := GetPlatform(cli) + if err != nil { + return false, err + } + + supportedPlatforms := platform == OpenDataHub || platform == Unknown + return dscispec.ServiceMesh.ManagementState == operatorv1.Managed && supportedPlatforms, nil +} diff --git a/pkg/feature/feature.go b/pkg/feature/feature.go index dbcb0a83afd..f8edf309c95 100644 --- a/pkg/feature/feature.go +++ b/pkg/feature/feature.go @@ -161,6 +161,16 @@ func (f *Feature) addCleanup(cleanupFuncs ...Action) { f.cleanups = append(f.cleanups, cleanupFuncs...) } +func (f *Feature) ApplyManifest(path string) error { + m := createManifestFrom(embeddedFiles, path) + + if err := m.process(f.Spec); err != nil { + return err + } + + return f.apply(m) +} + type apply func(data string) error func (f *Feature) apply(m manifest) error { diff --git a/pkg/feature/manifest.go b/pkg/feature/manifest.go index 2726e2d0e23..d409668729a 100644 --- a/pkg/feature/manifest.go +++ b/pkg/feature/manifest.go @@ -14,6 +14,13 @@ import ( //go:embed templates var embeddedFiles embed.FS +const ( + ServiceMeshDir = "servicemesh" + ServerlessDir = "serverless" + AuthDir = ServiceMeshDir + string(filepath.Separator) + "authorino" + KServeDir = ServiceMeshDir + string(filepath.Separator) + "kserve" +) + type manifest struct { name, path, diff --git a/pkg/feature/serverless/loaders.go b/pkg/feature/serverless/loaders.go index 115034dbdcc..3abf6ae2f7c 100644 --- a/pkg/feature/serverless/loaders.go +++ b/pkg/feature/serverless/loaders.go @@ -4,6 +4,7 @@ import ( "fmt" "strings" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" ) @@ -23,7 +24,7 @@ func ServingIngressDomain(f *feature.Feature) error { domain := strings.TrimSpace(f.Spec.Serving.IngressGateway.Domain) if len(domain) == 0 { var errDomain error - domain, errDomain = GetDomain(f.DynamicClient) + domain, errDomain = cluster.GetDomain(f.DynamicClient) if errDomain != nil { return fmt.Errorf("failed to fetch OpenShift domain to generate certificate for Serverless: %w", errDomain) } diff --git a/pkg/feature/serverless/resources.go b/pkg/feature/serverless/resources.go index d06e4f1ae21..e3360ddef0c 100644 --- a/pkg/feature/serverless/resources.go +++ b/pkg/feature/serverless/resources.go @@ -1,30 +1,9 @@ package serverless import ( - "context" - - "github.com/pkg/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/client-go/dynamic" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/gvr" ) func ServingCertificateResource(f *feature.Feature) error { return f.CreateSelfSignedCertificate(f.Spec.KnativeCertificateSecret, f.Spec.Serving.IngressGateway.Certificate.Type, f.Spec.KnativeIngressDomain, f.Spec.ControlPlane.Namespace) } - -func GetDomain(dynamicClient dynamic.Interface) (string, error) { - cluster, err := dynamicClient.Resource(gvr.OpenshiftIngress).Get(context.TODO(), "cluster", metav1.GetOptions{}) - if err != nil { - return "", err - } - - domain, found, err := unstructured.NestedString(cluster.Object, "spec", "domain") - if !found { - return "", errors.New("spec.domain not found") - } - return domain, err -} diff --git a/pkg/feature/servicemesh/cleanup.go b/pkg/feature/servicemesh/cleanup.go new file mode 100644 index 00000000000..5aace52efee --- /dev/null +++ b/pkg/feature/servicemesh/cleanup.go @@ -0,0 +1,60 @@ +package servicemesh + +import ( + "context" + "fmt" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + ctrlLog "sigs.k8s.io/controller-runtime/pkg/log" + + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/gvr" +) + +var log = ctrlLog.Log.WithName("features") + +func RemoveExtensionProvider(f *feature.Feature) error { + ossmAuthzProvider := fmt.Sprintf("%s-odh-auth-provider", f.Spec.AppNamespace) + + mesh := f.Spec.ControlPlane + + smcp, err := f.DynamicClient.Resource(gvr.SMCP). + Namespace(mesh.Namespace). + Get(context.TODO(), mesh.Name, metav1.GetOptions{}) + if err != nil { + return err + } + + extensionProviders, found, err := unstructured.NestedSlice(smcp.Object, "spec", "techPreview", "meshConfig", "extensionProviders") + if err != nil { + return err + } + if !found { + log.Info("no extension providers found", "f", f.Name, "control-plane", mesh.Name, "namespace", mesh.Namespace) + return nil + } + + for i, v := range extensionProviders { + extensionProvider, ok := v.(map[string]interface{}) + if !ok { + fmt.Println("Unexpected type for extensionProvider") + continue + } + + if extensionProvider["name"] == ossmAuthzProvider { + extensionProviders = append(extensionProviders[:i], extensionProviders[i+1:]...) + err = unstructured.SetNestedSlice(smcp.Object, extensionProviders, "spec", "techPreview", "meshConfig", "extensionProviders") + if err != nil { + return err + } + break + } + } + + _, err = f.DynamicClient.Resource(gvr.SMCP). + Namespace(mesh.Namespace). + Update(context.TODO(), smcp, metav1.UpdateOptions{}) + + return err +} diff --git a/pkg/feature/servicemesh/loaders.go b/pkg/feature/servicemesh/loaders.go new file mode 100644 index 00000000000..9eabf96c2ef --- /dev/null +++ b/pkg/feature/servicemesh/loaders.go @@ -0,0 +1,20 @@ +package servicemesh + +import ( + "github.com/pkg/errors" + + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" +) + +func ClusterDetails(f *feature.Feature) error { + data := f.Spec + + if domain, err := cluster.GetDomain(f.DynamicClient); err == nil { + data.Domain = domain + } else { + return errors.WithStack(err) + } + + return nil +} diff --git a/pkg/feature/servicemesh/resources.go b/pkg/feature/servicemesh/resources.go new file mode 100644 index 00000000000..a4fc661e4f1 --- /dev/null +++ b/pkg/feature/servicemesh/resources.go @@ -0,0 +1,31 @@ +package servicemesh + +import ( + "strings" + + "github.com/pkg/errors" + + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" +) + +func ConfigMaps(feature *feature.Feature) error { + meshConfig := feature.Spec.ControlPlane + if err := feature.CreateConfigMap("service-mesh-refs", + map[string]string{ + "CONTROL_PLANE_NAME": meshConfig.Name, + "MESH_NAMESPACE": meshConfig.Namespace, + }); err != nil { + return errors.WithStack(err) + } + + authorinoConfig := feature.Spec.Auth.Authorino + if err := feature.CreateConfigMap("auth-refs", + map[string]string{ + "AUTHORINO_LABEL": authorinoConfig.Label, + "AUTH_AUDIENCE": strings.Join(authorinoConfig.Audiences, ","), + }); err != nil { + return errors.WithStack(err) + } + + return nil +} diff --git a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl new file mode 100644 index 00000000000..6b0aa06aa82 --- /dev/null +++ b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl @@ -0,0 +1,10 @@ +apiVersion: maistra.io/v1 +kind: ServiceMeshMember +metadata: + name: default + namespace: {{ .Auth.Namespace }} +spec: + controlPlaneRef: + namespace: {{ .ControlPlane.Namespace }} + name: {{ .ControlPlane.Name }} + diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl new file mode 100644 index 00000000000..95b1a8fb63b --- /dev/null +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -0,0 +1,15 @@ +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: {{ .Auth.Authorino.Name }} + namespace: {{ .Auth.Namespace }} +spec: + image: {{ .Auth.Authorino.Image }} + authConfigLabelSelectors: {{ .Auth.Authorino.Label }} + clusterWide: true + listener: + tls: + enabled: false + oidcServer: + tls: + enabled: false diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl new file mode 100644 index 00000000000..e15fb31100f --- /dev/null +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Auth.Authorino.Name }} + namespace: {{ .Auth.Namespace }} +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "true" diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl new file mode 100644 index 00000000000..706c995dc4c --- /dev/null +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -0,0 +1,13 @@ +apiVersion: maistra.io/v2 +kind: ServiceMeshControlPlane +metadata: + name: {{ .ControlPlane.Name }} + namespace: {{ .ControlPlane.Namespace }} +spec: + techPreview: + meshConfig: + extensionProviders: + - name: {{ .AppNamespace }}-odh-auth-provider + envoyExtAuthzGrpc: + service: {{ .Auth.Authorino.Name }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local + port: 50051 diff --git a/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl b/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl new file mode 100644 index 00000000000..5a6286b3d0a --- /dev/null +++ b/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl @@ -0,0 +1,42 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + labels: + app: odh + name: activator-host-header + namespace: {{ .ControlPlane.Namespace }} +spec: + priority: 20 + workloadSelector: + labels: + component: predictor + configPatches: + - applyTo: HTTP_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.lua + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + inlineCode: | + function envoy_on_request(request_handle) + local headers = request_handle:headers() + if not headers then + return + end + + local original_host = headers:get("k-original-host") + if original_host then + + port_seperator = string.find(original_host, ":", 7) + if port_seperator then + original_host = string.sub(original_host, 0, port_seperator-1) + end + headers:replace('host', original_host) + end + end diff --git a/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl new file mode 100644 index 00000000000..ee0678003dd --- /dev/null +++ b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl @@ -0,0 +1,79 @@ +# https://issues.redhat.com/browse/OSSM-4873 +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-oauth-temp-fix-before + namespace: {{ .ControlPlane.Namespace }} + labels: + app: odh + temp: hack +spec: + workloadSelector: + labels: + istio: ingressgateway + priority: 20 + configPatches: + - applyTo: HTTP_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.lua + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + inlineCode: | + function envoy_on_request(request_handle) + local headers = request_handle:headers() + if not headers then + return + end + + local auth = headers:get("authorization") + if auth then + headers:replace("x-authorization", auth) + end + end +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-oauth-temp-fix-after + namespace: {{ .ControlPlane.Namespace }} + labels: + app: odh + temp: hack +spec: + workloadSelector: + labels: + istio: ingressgateway + priority: 5 + configPatches: + - applyTo: HTTP_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.lua + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + inlineCode: | + function envoy_on_request(request_handle) + local headers = request_handle:headers() + if not headers then + return + end + + local xauth = headers:get("x-authorization") + if xauth then + headers:replace("authorization", xauth) + headers.remove("x-authorization") + end + end diff --git a/pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl b/pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl new file mode 100644 index 00000000000..e0b57df4a56 --- /dev/null +++ b/pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl @@ -0,0 +1,19 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: kserve-predicator + namespace: {{ .ControlPlane.Namespace }} +spec: + action: CUSTOM + provider: + name: opendatahub-odh-auth-provider + rules: + - to: + - operation: + notPaths: + - /healthz* + ports: + - "8013" + selector: + matchLabels: + component: predictor From 2bd12d869d7250b11d0e91a27427e586a42d7e6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Mon, 15 Jan 2024 14:34:24 -0600 Subject: [PATCH 02/28] Fix linter issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/kserve.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 8f472c457a1..4b51832d342 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -154,7 +154,7 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC // CloudService Monitoring handling if platform == deploy.ManagedRhods { if enabled { - // first check if the service is up, so prometheus wont fire alerts when it is just startup + // first check if the service is up, so prometheus won't fire alerts when it is just startup if err := monitoring.WaitForDeploymentAvailable(ctx, resConf, ComponentName, dscispec.ApplicationsNamespace, 20, 2); err != nil { return fmt.Errorf("deployment for %s is not ready to server: %w", ComponentName, err) } @@ -166,12 +166,8 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC } } - if enabled { - if err := k.configureServiceMesh(cli, dscispec); err != nil { - return err - } - } - return nil + configureMeshErr := k.configureServiceMesh(cli, dscispec, enabled) + return configureMeshErr } func (k *Kserve) Cleanup(_ client.Client, instance *dsciv1.DSCInitializationSpec) error { @@ -238,7 +234,11 @@ func checkDepedentOps(cli client.Client) *multierror.Error { return multiErr } -func (k *Kserve) configureServiceMesh(cli client.Client, dscispec *dsciv1.DSCInitializationSpec) error { +func (k *Kserve) configureServiceMesh(cli client.Client, dscispec *dsciv1.DSCInitializationSpec, enabled bool) error { + if !enabled { + return nil + } + shouldConfigureServiceMesh, err := deploy.ShouldConfigureServiceMesh(cli, dscispec) if err != nil { return err From 24a88c498c67829ca1ce06cdc55d1c6323b88137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Tue, 16 Jan 2024 13:07:44 -0600 Subject: [PATCH 03/28] Resolve feedback: Bartosz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- ...ion.opendatahub.io_dscinitializations.yaml | 15 ------------ config/rbac/role.yaml | 24 ------------------- .../datasciencecluster/kubebuilder_rbac.go | 4 +--- infrastructure/v1/servicemesh_types.go | 11 +-------- infrastructure/v1/zz_generated.deepcopy.go | 8 +++++-- pkg/feature/builder.go | 5 ++++ pkg/feature/servicemesh/resources.go | 3 +-- .../base/operator-cluster-wide-no-tls.tmpl | 6 ++--- .../authorino/deployment.injection.patch.tmpl | 2 +- .../mesh-authz-ext-provider.patch.tmpl | 2 +- pkg/feature/types.go | 7 ++++++ 11 files changed, 26 insertions(+), 61 deletions(-) diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index c4cd9c25a76..a3b7a048eb4 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -110,21 +110,6 @@ spec: items: type: string type: array - image: - default: quay.io/kuadrant/authorino:v0.16.0 - description: Image allows to define a custom container - image to be used when deploying Authorino's instance. - type: string - label: - default: authorino/topic=odh - description: Label narrows amount of AuthConfigs to process - by Authorino service. - type: string - name: - default: authorino-mesh-authz-provider - description: Name specifies how external authorization - provider should be called. - type: string type: object namespace: default: auth-provider diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 4b1ae6cddc3..bd360589f52 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -116,30 +116,6 @@ rules: - statefulsets verbs: - '*' -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs/instantiate - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - argoproj.io resources: diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go index 56f20347e5a..9a57978e005 100644 --- a/controllers/datasciencecluster/kubebuilder_rbac.go +++ b/controllers/datasciencecluster/kubebuilder_rbac.go @@ -206,6 +206,7 @@ package datasciencecluster // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch +// OpenVino still need buildconfig // +kubebuilder:rbac:groups="build.openshift.io",resources=builds,verbs=create;patch;delete;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs/instantiate,verbs=create;patch;delete;get;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs,verbs=list;watch;create;patch;delete @@ -236,9 +237,6 @@ package datasciencecluster // +kubebuilder:rbac:groups="*",resources=deployments,verbs=* // +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=* -// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete - // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch;delete // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete;patch diff --git a/infrastructure/v1/servicemesh_types.go b/infrastructure/v1/servicemesh_types.go index 0c9e918b6dc..3199c98a856 100644 --- a/infrastructure/v1/servicemesh_types.go +++ b/infrastructure/v1/servicemesh_types.go @@ -51,20 +51,11 @@ type AuthSpec struct { } type AuthorinoSpec struct { - // Name specifies how external authorization provider should be called. - // +kubebuilder:default=authorino-mesh-authz-provider - Name string `json:"name,omitempty"` // Audiences is a list of the identifiers that the resource server presented // with the token identifies as. Audience-aware token authenticators will verify // that the token was intended for at least one of the audiences in this list. // If no audiences are provided, the audience will default to the audience of the // Kubernetes apiserver (kubernetes.default.svc). // +kubebuilder:default={"https://kubernetes.default.svc"} - Audiences []string `json:"audiences,omitempty"` - // Label narrows amount of AuthConfigs to process by Authorino service. - // +kubebuilder:default=authorino/topic=odh - Label string `json:"label,omitempty"` - // Image allows to define a custom container image to be used when deploying Authorino's instance. - // +kubebuilder:default="quay.io/kuadrant/authorino:v0.16.0" - Image string `json:"image,omitempty"` + Audiences *[]string `json:"audiences,omitempty"` } diff --git a/infrastructure/v1/zz_generated.deepcopy.go b/infrastructure/v1/zz_generated.deepcopy.go index aa0c027157d..6420779aeec 100644 --- a/infrastructure/v1/zz_generated.deepcopy.go +++ b/infrastructure/v1/zz_generated.deepcopy.go @@ -44,8 +44,12 @@ func (in *AuthorinoSpec) DeepCopyInto(out *AuthorinoSpec) { *out = *in if in.Audiences != nil { in, out := &in.Audiences, &out.Audiences - *out = make([]string, len(*in)) - copy(*out, *in) + *out = new([]string) + if **in != nil { + in, out := *in, *out + *out = make([]string, len(*in)) + copy(*out, *in) + } } } diff --git a/pkg/feature/builder.go b/pkg/feature/builder.go index c84324f38bd..cef7f0597d6 100644 --- a/pkg/feature/builder.go +++ b/pkg/feature/builder.go @@ -40,6 +40,11 @@ func (fb *featureBuilder) For(spec *v1.DSCInitializationSpec) *featureBuilder { ServiceMeshSpec: &spec.ServiceMesh, Serving: &infrav1.ServingSpec{}, AppNamespace: spec.ApplicationsNamespace, + AuthorinoConfigs: AuthorinoConfigs{ + CrName: "authorino-mesh-authz-provider", + ContainerImage: "quay.io/kuadrant/authorino:v0.16.0", + LabelSelectors: "authorino/topic=odh", + }, } return nil diff --git a/pkg/feature/servicemesh/resources.go b/pkg/feature/servicemesh/resources.go index a4fc661e4f1..f35f40ec020 100644 --- a/pkg/feature/servicemesh/resources.go +++ b/pkg/feature/servicemesh/resources.go @@ -21,8 +21,7 @@ func ConfigMaps(feature *feature.Feature) error { authorinoConfig := feature.Spec.Auth.Authorino if err := feature.CreateConfigMap("auth-refs", map[string]string{ - "AUTHORINO_LABEL": authorinoConfig.Label, - "AUTH_AUDIENCE": strings.Join(authorinoConfig.Audiences, ","), + "AUTH_AUDIENCE": strings.Join(*authorinoConfig.Audiences, ","), }); err != nil { return errors.WithStack(err) } diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 95b1a8fb63b..85a2bd554a7 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -1,11 +1,11 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: - name: {{ .Auth.Authorino.Name }} + name: {{ .AuthorinoConfigs.CrName }} namespace: {{ .Auth.Namespace }} spec: - image: {{ .Auth.Authorino.Image }} - authConfigLabelSelectors: {{ .Auth.Authorino.Label }} + image: {{ .AuthorinoConfigs.ContainerImage }} + authConfigLabelSelectors: {{ .AuthorinoConfigs.LabelSelectors }} clusterWide: true listener: tls: diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl index e15fb31100f..1b9600b6918 100644 --- a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Auth.Authorino.Name }} + name: {{ .AuthorinoConfigs.CrName }} namespace: {{ .Auth.Namespace }} spec: template: diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index 706c995dc4c..b7d77d040d1 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -9,5 +9,5 @@ spec: extensionProviders: - name: {{ .AppNamespace }}-odh-auth-provider envoyExtAuthzGrpc: - service: {{ .Auth.Authorino.Name }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local + service: {{ .AuthorinoConfigs.CrName }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local port: 50051 diff --git a/pkg/feature/types.go b/pkg/feature/types.go index 7b5da4cc7b8..fb17d0ba131 100644 --- a/pkg/feature/types.go +++ b/pkg/feature/types.go @@ -10,6 +10,7 @@ import ( type Spec struct { *infrav1.ServiceMeshSpec Serving *infrav1.ServingSpec + AuthorinoConfigs AuthorinoConfigs OAuth OAuth AppNamespace string Domain string @@ -27,6 +28,12 @@ type OAuth struct { Hmac string } +type AuthorinoConfigs struct { + CrName, + ContainerImage, + LabelSelectors string +} + func ReplaceChar(s string, oldChar, newChar string) string { return strings.ReplaceAll(s, oldChar, newChar) } From eb96386c0f70ddcca6cadc843bdb766a1be1fb24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:04:39 -0600 Subject: [PATCH 04/28] fix: Remove port from the authorization policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, add `/metrics` to the ignored paths for auth. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- ...policy.tmpl => kserve-predictor-authorizationpolicy.tmpl} | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) rename pkg/feature/templates/servicemesh/kserve/{grpc-authorizationpolicy.tmpl => kserve-predictor-authorizationpolicy.tmpl} (84%) diff --git a/pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl similarity index 84% rename from pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl rename to pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl index e0b57df4a56..5a70356c29c 100644 --- a/pkg/feature/templates/servicemesh/kserve/grpc-authorizationpolicy.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl @@ -1,7 +1,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: kserve-predicator + name: kserve-predictor namespace: {{ .ControlPlane.Namespace }} spec: action: CUSTOM @@ -12,8 +12,7 @@ spec: - operation: notPaths: - /healthz* - ports: - - "8013" + - /metrics selector: matchLabels: component: predictor From 189d41af1295246014e89dbefb940dd36073e8af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 18 Jan 2024 15:05:53 -0600 Subject: [PATCH 05/28] Fix feedback: Bartosz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/kserve.go | 25 ++++++------------- pkg/deploy/setup.go | 14 ----------- pkg/feature/builder.go | 4 +-- pkg/feature/servicemesh/cleanup.go | 4 +-- .../base/operator-cluster-wide-no-tls.tmpl | 5 ++-- .../authorino/deployment.injection.patch.tmpl | 2 +- .../mesh-authz-ext-provider.patch.tmpl | 2 +- pkg/feature/types.go | 4 +-- 8 files changed, 15 insertions(+), 45 deletions(-) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 4b51832d342..40c0a6aec70 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -166,7 +166,7 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC } } - configureMeshErr := k.configureServiceMesh(cli, dscispec, enabled) + configureMeshErr := k.configureServiceMesh(dscispec) return configureMeshErr } @@ -234,29 +234,18 @@ func checkDepedentOps(cli client.Client) *multierror.Error { return multiErr } -func (k *Kserve) configureServiceMesh(cli client.Client, dscispec *dsciv1.DSCInitializationSpec, enabled bool) error { - if !enabled { +func (k *Kserve) configureServiceMesh(dscispec *dsciv1.DSCInitializationSpec) error { + if dscispec.ServiceMesh.ManagementState != operatorv1.Managed || k.GetManagementState() != operatorv1.Managed { return nil } - shouldConfigureServiceMesh, err := deploy.ShouldConfigureServiceMesh(cli, dscispec) - if err != nil { - return err - } - - if shouldConfigureServiceMesh { - serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec)) - - if err := serviceMeshInitializer.Prepare(); err != nil { - return err - } + serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec)) - if err := serviceMeshInitializer.Apply(); err != nil { - return err - } + if err := serviceMeshInitializer.Prepare(); err != nil { + return err } - return nil + return serviceMeshInitializer.Apply() } func (k *Kserve) defineServiceMeshFeatures(dscispec *dsciv1.DSCInitializationSpec) feature.DefinedFeatures { diff --git a/pkg/deploy/setup.go b/pkg/deploy/setup.go index febbf754ee7..206ef9eab49 100644 --- a/pkg/deploy/setup.go +++ b/pkg/deploy/setup.go @@ -4,13 +4,10 @@ import ( "context" "strings" - operatorv1 "github.com/openshift/api/operator/v1" ofapi "github.com/operator-framework/api/pkg/operators/v1alpha1" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" "sigs.k8s.io/controller-runtime/pkg/client" - - dsci "github.com/opendatahub-io/opendatahub-operator/v2/apis/dscinitialization/v1" ) const ( @@ -92,14 +89,3 @@ func GetPlatform(cli client.Client) (Platform, error) { // check and return whether ODH or self-managed platform return isSelfManaged(cli) } - -// ShouldConfigureServiceMesh determines if the operator should invoke service-mesh specific setup. -func ShouldConfigureServiceMesh(cli client.Client, dscispec *dsci.DSCInitializationSpec) (bool, error) { - platform, err := GetPlatform(cli) - if err != nil { - return false, err - } - - supportedPlatforms := platform == OpenDataHub || platform == Unknown - return dscispec.ServiceMesh.ManagementState == operatorv1.Managed && supportedPlatforms, nil -} diff --git a/pkg/feature/builder.go b/pkg/feature/builder.go index cef7f0597d6..f3b6797305c 100644 --- a/pkg/feature/builder.go +++ b/pkg/feature/builder.go @@ -41,9 +41,7 @@ func (fb *featureBuilder) For(spec *v1.DSCInitializationSpec) *featureBuilder { Serving: &infrav1.ServingSpec{}, AppNamespace: spec.ApplicationsNamespace, AuthorinoConfigs: AuthorinoConfigs{ - CrName: "authorino-mesh-authz-provider", - ContainerImage: "quay.io/kuadrant/authorino:v0.16.0", - LabelSelectors: "authorino/topic=odh", + Name: "authorino-mesh-authz-provider", }, } diff --git a/pkg/feature/servicemesh/cleanup.go b/pkg/feature/servicemesh/cleanup.go index 5aace52efee..51c222d90fa 100644 --- a/pkg/feature/servicemesh/cleanup.go +++ b/pkg/feature/servicemesh/cleanup.go @@ -31,14 +31,14 @@ func RemoveExtensionProvider(f *feature.Feature) error { return err } if !found { - log.Info("no extension providers found", "f", f.Name, "control-plane", mesh.Name, "namespace", mesh.Namespace) + log.Info("no extension providers found", "feature", f.Name, "control-plane", mesh.Name, "namespace", mesh.Namespace) return nil } for i, v := range extensionProviders { extensionProvider, ok := v.(map[string]interface{}) if !ok { - fmt.Println("Unexpected type for extensionProvider") + log.Info("WARN: Unexpected type for extensionProvider") continue } diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 85a2bd554a7..d6de184e1f5 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -1,11 +1,10 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: - name: {{ .AuthorinoConfigs.CrName }} + name: {{ .AuthorinoConfigs.Name }} namespace: {{ .Auth.Namespace }} spec: - image: {{ .AuthorinoConfigs.ContainerImage }} - authConfigLabelSelectors: {{ .AuthorinoConfigs.LabelSelectors }} + authConfigLabelSelectors: authorino/topic=odh clusterWide: true listener: tls: diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl index 1b9600b6918..59e58d83ce6 100644 --- a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .AuthorinoConfigs.CrName }} + name: {{ .AuthorinoConfigs.Name }} namespace: {{ .Auth.Namespace }} spec: template: diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index b7d77d040d1..d1dc0b51948 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -9,5 +9,5 @@ spec: extensionProviders: - name: {{ .AppNamespace }}-odh-auth-provider envoyExtAuthzGrpc: - service: {{ .AuthorinoConfigs.CrName }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local + service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local port: 50051 diff --git a/pkg/feature/types.go b/pkg/feature/types.go index fb17d0ba131..67ba839649a 100644 --- a/pkg/feature/types.go +++ b/pkg/feature/types.go @@ -29,9 +29,7 @@ type OAuth struct { } type AuthorinoConfigs struct { - CrName, - ContainerImage, - LabelSelectors string + Name string } func ReplaceChar(s string, oldChar, newChar string) string { From 66f4dd8283279161d6f9db5f4ffb50f1b94eeb0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= Date: Fri, 19 Jan 2024 12:34:49 -0600 Subject: [PATCH 06/28] More feedback: Bartosz Co-authored-by: Bartosz Majsak --- components/kserve/kserve.go | 3 +-- .../authorino/base/operator-cluster-wide-no-tls.tmpl | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 40c0a6aec70..f6c284df95e 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -166,8 +166,7 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC } } - configureMeshErr := k.configureServiceMesh(dscispec) - return configureMeshErr + return k.configureServiceMesh(dscispec) } func (k *Kserve) Cleanup(_ client.Client, instance *dsciv1.DSCInitializationSpec) error { diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index d6de184e1f5..84e870b0088 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -4,7 +4,7 @@ metadata: name: {{ .AuthorinoConfigs.Name }} namespace: {{ .Auth.Namespace }} spec: - authConfigLabelSelectors: authorino/topic=odh + authConfigLabelSelectors: opendatahub.io/authorization-group: default clusterWide: true listener: tls: From 49a4df799535f60a2a405f82b5e0a6d6a2a643a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Mon, 22 Jan 2024 14:52:31 -0600 Subject: [PATCH 07/28] Fix feedback: Reto - Adjust AuthorizationPolicy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/kserve.go | 2 +- .../kserve/kserve-predictor-authorizationpolicy.tmpl | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index f6c284df95e..9272c18c8d5 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -166,7 +166,7 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC } } - return k.configureServiceMesh(dscispec) + return k.configureServiceMesh(dscispec) } func (k *Kserve) Cleanup(_ client.Client, instance *dsciv1.DSCInitializationSpec) error { diff --git a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl index 5a70356c29c..128e8de7925 100644 --- a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl @@ -11,8 +11,9 @@ spec: - to: - operation: notPaths: - - /healthz* + - /debug/pprof/ - /metrics + - /wait-for-drain selector: matchLabels: component: predictor From 3a9324ce7d9a09421e0a63cb864ed80d99774786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:54:35 -0600 Subject: [PATCH 08/28] Fix more feedback: Bartosz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove Authorino namespace field from DSCI. - Move around some code in kserve.go to servicemesh_setup.go Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/kserve.go | 36 --------------- components/kserve/servicemesh_setup.go | 45 +++++++++++++++++++ ...ion.opendatahub.io_dscinitializations.yaml | 4 -- .../dscinitialization/servicemesh_setup.go | 2 - infrastructure/v1/servicemesh_types.go | 3 -- .../servicemesh/authorino/auth-smm.tmpl | 2 +- .../base/operator-cluster-wide-no-tls.tmpl | 4 +- .../authorino/deployment.injection.patch.tmpl | 2 +- .../mesh-authz-ext-provider.patch.tmpl | 2 +- 9 files changed, 50 insertions(+), 50 deletions(-) create mode 100644 components/kserve/servicemesh_setup.go diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 9272c18c8d5..4a76fc13e7a 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -4,7 +4,6 @@ package kserve import ( "context" "fmt" - "path" "path/filepath" "strings" @@ -20,7 +19,6 @@ import ( "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" - "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/monitoring" ) @@ -232,37 +230,3 @@ func checkDepedentOps(cli client.Client) *multierror.Error { } return multiErr } - -func (k *Kserve) configureServiceMesh(dscispec *dsciv1.DSCInitializationSpec) error { - if dscispec.ServiceMesh.ManagementState != operatorv1.Managed || k.GetManagementState() != operatorv1.Managed { - return nil - } - - serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec)) - - if err := serviceMeshInitializer.Prepare(); err != nil { - return err - } - - return serviceMeshInitializer.Apply() -} - -func (k *Kserve) defineServiceMeshFeatures(dscispec *dsciv1.DSCInitializationSpec) feature.DefinedFeatures { - return func(s *feature.FeaturesInitializer) error { - kserve, err := feature.CreateFeature("configure-kserve-for-external-authz"). - For(dscispec). - Manifests( - path.Join(feature.KServeDir), - ). - WithData(servicemesh.ClusterDetails). - Load() - - if err != nil { - return err - } - - s.Features = append(s.Features, kserve) - - return nil - } -} diff --git a/components/kserve/servicemesh_setup.go b/components/kserve/servicemesh_setup.go new file mode 100644 index 00000000000..e1b0ddc9e6d --- /dev/null +++ b/components/kserve/servicemesh_setup.go @@ -0,0 +1,45 @@ +package kserve + +import ( + "path" + + operatorv1 "github.com/openshift/api/operator/v1" + + dsciv1 "github.com/opendatahub-io/opendatahub-operator/v2/apis/dscinitialization/v1" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh" +) + +func (k *Kserve) configureServiceMesh(dscispec *dsciv1.DSCInitializationSpec) error { + if dscispec.ServiceMesh.ManagementState != operatorv1.Managed || k.GetManagementState() != operatorv1.Managed { + return nil + } + + serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec)) + + if err := serviceMeshInitializer.Prepare(); err != nil { + return err + } + + return serviceMeshInitializer.Apply() +} + +func (k *Kserve) defineServiceMeshFeatures(dscispec *dsciv1.DSCInitializationSpec) feature.DefinedFeatures { + return func(s *feature.FeaturesInitializer) error { + kserve, err := feature.CreateFeature("configure-kserve-for-external-authz"). + For(dscispec). + Manifests( + path.Join(feature.KServeDir), + ). + WithData(servicemesh.ClusterDetails). + Load() + + if err != nil { + return err + } + + s.Features = append(s.Features, kserve) + + return nil + } +} diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index a3b7a048eb4..d95195c4ff8 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -111,10 +111,6 @@ spec: type: string type: array type: object - namespace: - default: auth-provider - description: Namespace where it is deployed. - type: string type: object controlPlane: description: ControlPlane holds configuration of Service Mesh diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index 70259f21053..432e33c53ec 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -118,11 +118,9 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error { PreConditions( feature.EnsureCRDIsInstalled("authconfigs.authorino.kuadrant.io"), servicemesh.EnsureServiceMeshInstalled, - feature.CreateNamespaceIfNotExists(serviceMeshSpec.Auth.Namespace), ). PostConditions( feature.WaitForPodsToBeReady(serviceMeshSpec.ControlPlane.Namespace), - feature.WaitForPodsToBeReady(serviceMeshSpec.Auth.Namespace), func(f *feature.Feature) error { // We do not have the control over deployment resource creation. // It is created by Authorino operator using Authorino CR diff --git a/infrastructure/v1/servicemesh_types.go b/infrastructure/v1/servicemesh_types.go index 3199c98a856..f786f501710 100644 --- a/infrastructure/v1/servicemesh_types.go +++ b/infrastructure/v1/servicemesh_types.go @@ -43,9 +43,6 @@ type IngressGatewaySpec struct { } type AuthSpec struct { - // Namespace where it is deployed. - // +kubebuilder:default=auth-provider - Namespace string `json:"namespace,omitempty"` // Authorino holds configuration of Authorino service used as external authorization provider. Authorino AuthorinoSpec `json:"authorino,omitempty"` } diff --git a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl index 6b0aa06aa82..7d6f0736b32 100644 --- a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl @@ -2,7 +2,7 @@ apiVersion: maistra.io/v1 kind: ServiceMeshMember metadata: name: default - namespace: {{ .Auth.Namespace }} + namespace: {{ .AppNamespace }} spec: controlPlaneRef: namespace: {{ .ControlPlane.Namespace }} diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 84e870b0088..a81498f3fda 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -2,9 +2,9 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .Auth.Namespace }} + namespace: {{ .AppNamespace }} spec: - authConfigLabelSelectors: opendatahub.io/authorization-group: default + authConfigLabelSelectors: opendatahub.io/authorization-group=default clusterWide: true listener: tls: diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl index 59e58d83ce6..8a56aeb4630 100644 --- a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .Auth.Namespace }} + namespace: {{ .AppNamespace }} spec: template: metadata: diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index d1dc0b51948..ee23fff3d63 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -9,5 +9,5 @@ spec: extensionProviders: - name: {{ .AppNamespace }}-odh-auth-provider envoyExtAuthzGrpc: - service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local + service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .AppNamespace }}.svc.cluster.local port: 50051 From 10f902ed7accad2fd0c1a6c3b1b11220cd0e28ff Mon Sep 17 00:00:00 2001 From: bartoszmajsak Date: Tue, 23 Jan 2024 18:22:23 +0100 Subject: [PATCH 09/28] chore: adds sec. prefix to authorino label selector --- .../authorino/base/operator-cluster-wide-no-tls.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index a81498f3fda..7ef0b87c5b2 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -4,7 +4,7 @@ metadata: name: {{ .AuthorinoConfigs.Name }} namespace: {{ .AppNamespace }} spec: - authConfigLabelSelectors: opendatahub.io/authorization-group=default + authConfigLabelSelectors: sec.opendatahub.io/authorization-group=default clusterWide: true listener: tls: From fe7a4819721ad62a2a49e43d2d6babd8772a73a3 Mon Sep 17 00:00:00 2001 From: bartoszmajsak Date: Tue, 23 Jan 2024 20:04:56 +0100 Subject: [PATCH 10/28] fix: adds base dir to manifest sources --- pkg/feature/manifest.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/feature/manifest.go b/pkg/feature/manifest.go index d409668729a..4d11a757671 100644 --- a/pkg/feature/manifest.go +++ b/pkg/feature/manifest.go @@ -15,8 +15,9 @@ import ( var embeddedFiles embed.FS const ( - ServiceMeshDir = "servicemesh" - ServerlessDir = "serverless" + BaseDir = "templates" + ServiceMeshDir = BaseDir + string(filepath.Separator) + "servicemesh" + ServerlessDir = BaseDir + string(filepath.Separator) + "serverless" AuthDir = ServiceMeshDir + string(filepath.Separator) + "authorino" KServeDir = ServiceMeshDir + string(filepath.Separator) + "kserve" ) @@ -77,6 +78,7 @@ func (m *manifest) process(data interface{}) error { if err != nil { return err } + defer manifestFile.Close() content, err := io.ReadAll(manifestFile) From ba0b12d3e55abbfb1864523c8de4a196467e557b Mon Sep 17 00:00:00 2001 From: bartoszmajsak Date: Wed, 24 Jan 2024 13:50:55 +0100 Subject: [PATCH 11/28] chore: uses security instead of sec as a prefix in authorino label --- .../authorino/base/operator-cluster-wide-no-tls.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 7ef0b87c5b2..3d1b09aa5d1 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -4,7 +4,7 @@ metadata: name: {{ .AuthorinoConfigs.Name }} namespace: {{ .AppNamespace }} spec: - authConfigLabelSelectors: sec.opendatahub.io/authorization-group=default + authConfigLabelSelectors: security.opendatahub.io/authorization-group=default clusterWide: true listener: tls: From d17532c1af236657f1e2176429ae38c6baccacf0 Mon Sep 17 00:00:00 2001 From: Aslak Knutsen Date: Thu, 25 Jan 2024 16:09:19 +0100 Subject: [PATCH 12/28] fix: /healthz is called by _something_, skipp --- .../servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl index 128e8de7925..c0e87554f50 100644 --- a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl @@ -11,6 +11,7 @@ spec: - to: - operation: notPaths: + - /healthz - /debug/pprof/ - /metrics - /wait-for-drain From 7f2ce380c8771d3da37eadbfb51dab1ab610c9b4 Mon Sep 17 00:00:00 2001 From: Aslak Knutsen Date: Thu, 25 Jan 2024 16:09:50 +0100 Subject: [PATCH 13/28] fix: adopt ODH-ADR-0006 for clean up label --- .../templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl index ee0678003dd..0fd71911c68 100644 --- a/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl @@ -1,12 +1,10 @@ -# https://issues.redhat.com/browse/OSSM-4873 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: envoy-oauth-temp-fix-before namespace: {{ .ControlPlane.Namespace }} labels: - app: odh - temp: hack + opendatahub.io/related-to: OSSM-4873 spec: workloadSelector: labels: @@ -44,8 +42,7 @@ metadata: name: envoy-oauth-temp-fix-after namespace: {{ .ControlPlane.Namespace }} labels: - app: odh - temp: hack + opendatahub.io/related-to: OSSM-4873 spec: workloadSelector: labels: From 2dff875004d6f1644731e3fe9a8e7af6e17a4176 Mon Sep 17 00:00:00 2001 From: Bartosz Majsak Date: Fri, 26 Jan 2024 16:14:21 +0100 Subject: [PATCH 14/28] fix: uses correct CRD name for authconfigs Co-authored-by: Cameron Garrison --- controllers/dscinitialization/servicemesh_setup.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index 6189bac67a5..b1a0e8e9ab0 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -121,7 +121,7 @@ func configureServiceMeshFeatures() feature.DefinedFeatures { ). WithData(servicemesh.ClusterDetails). PreConditions( - feature.EnsureCRDIsInstalled("authconfiginitializer.authorino.kuadrant.io"), + feature.EnsureCRDIsInstalled("authconfigs.authorino.kuadrant.io"), servicemesh.EnsureServiceMeshInstalled, ). PostConditions( From 44b00770b9c3477398387e6e0fc3e694d8d62b19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Mon, 29 Jan 2024 13:56:36 -0600 Subject: [PATCH 15/28] Remove left-over file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- test.yaml | 10359 ---------------------------------------------------- 1 file changed, 10359 deletions(-) delete mode 100644 test.yaml diff --git a/test.yaml b/test.yaml deleted file mode 100644 index dd58147bc01..00000000000 --- a/test.yaml +++ /dev/null @@ -1,10359 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - operatorframework.io/installed-alongside-d78678f72b6e4527: openshift-operators/servicemeshoperator.v2.4.5 - service.beta.openshift.io/inject-cabundle: "true" - creationTimestamp: "2024-01-25T11:08:50Z" - generation: 5 - labels: - maistra-version: 2.4.5 - operators.coreos.com/servicemeshoperator.openshift-operators: "" - name: servicemeshcontrolplanes.maistra.io - resourceVersion: "16747" - uid: 67751448-9990-46f0-8728-b7b5a3fd2073 -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJRGhyTjFVZFAxS0V3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRjd05qRTNPVGszTVRBZQpGdzB5TkRBeE1qVXhNRFV5TlRCYUZ3MHlOakF6TWpVeE1EVXlOVEZhTURZeE5EQXlCZ05WQkFNTUsyOXdaVzV6CmFHbG1kQzF6WlhKMmFXTmxMWE5sY25acGJtY3RjMmxuYm1WeVFERTNNRFl4TnprNU56RXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGV6aGhrN0E1NjF2N1J1R1I5UGpIR25LNUYvclkrM01yTgpOellKQkpkMWFkbmxMOWk2TDg5UXJoT1ZmRjRrNEttL2NPa3hnYnloUFVyekkxQzhmK3JnV1RRbTkya2NnNG95ClZya1V4MGZ5RUQ0Q3UrWkRsU1lyZ1B0eXdYeThqNUNpY2hMak1YUDRBODVjZ0JxN252ZGc2bmdwazFMUVJKMkEKekx6d0pjVHQrdDNuV3hsejhTV3ZyYWVGbHZ4blRKUitwQmwydUY2OUpMVStkb1NOUys4bmpVa1BobmZwSUNWdgppbGhENEZ4bkNQWHRoVW1SdVhaYlV1Z3dXTnUzOEpiZUs5K2lSc1A0cTJGdFltckVQMUJDb2p2NVloRlNQTm9GCktwTFV1RDBNUmNtbm9SYXVRaVFmUDVRVHpSVzM3aGhkUXNrTnpnY2xwUm9leHhUZ0k1THBBZ01CQUFHall6QmgKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlNxQWNtUAplWDA3R0FDSzA0aVFSVE5jVTd1ZWVUQWZCZ05WSFNNRUdEQVdnQlNxQWNtUGVYMDdHQUNLMDRpUVJUTmNVN3VlCmVUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUF5YTdkM1dWTTVOVWVqaXVyQ1NQczlHeEVFb2xTOTZvRW41aXUKb3U0dlZ1Lys2VWVURmxxZExGMlUwekhyQTFLOFNoZTQ2NDBpVXBJajQ4QTNRMlNVMFhJaG5GaVpqbXlCcjlzYQpOZGc2OVl2YTNCc0hnU3V1SGhHb2xYRTVvUCswRXF5ai92dzNSWk5mbEdyUDJIYlFXM0M3L3JDNUlQeXpQU1lmClVuMlFUcFRHSnA5R2JJeSt5Y1UzdlNDVDRVQ2s5bkRZa24zcjI0ellqQld3REVRd1ZuRTF0T1lrT1RqRkhHRk4KYmpaYjNlSDNrNXkrWURMSEVqQWdyZWpacXFOOTBGdkxBbGszdWZEQ2xidlZwSWhQRENSYi92VDg3V3MrazlONQpPYmVpSGtzTUc0QytJRTdZcDc0Qi9oZ1lHZVRxMTE3VjNRV3VybnpxRnVaWCtKdEVHUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - service: - name: maistra-admission-controller - namespace: openshift-operators - path: /convert-smcp - port: 443 - conversionReviewVersions: - - v1beta1 - group: maistra.io - names: - categories: - - maistra-io - kind: ServiceMeshControlPlane - listKind: ServiceMeshControlPlaneList - plural: servicemeshcontrolplanes - shortNames: - - smcp - singular: servicemeshcontrolplane - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: How many of the total number of components are ready - jsonPath: .status.annotations.readyComponentCount - name: Ready - type: string - - description: Whether or not the control plane installation is up to date. - jsonPath: .status.conditions[?(@.type=="Reconciled")].reason - name: Status - type: string - - description: The configuration template to use as the base. - jsonPath: .status.lastAppliedConfiguration.template - name: Template - type: string - - description: The actual current version of the control plane installation. - jsonPath: .status.lastAppliedConfiguration.version - name: Version - type: string - - description: The age of the object - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The image hub used as the base for all component images. - jsonPath: .status.lastAppliedConfiguration.istio.global.hub - name: Image HUB - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - istio: - type: object - x-kubernetes-preserve-unknown-fields: true - networkType: - type: string - profiles: - items: - type: string - type: array - template: - type: string - threeScale: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - status: - nullable: true - properties: - annotations: - additionalProperties: - type: string - type: object - components: - items: - properties: - children: - items: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - resource: - type: string - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - lastAppliedConfiguration: - properties: - istio: - type: object - x-kubernetes-preserve-unknown-fields: true - networkType: - type: string - profiles: - items: - type: string - type: array - template: - type: string - threeScale: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - observedGeneration: - format: int64 - type: integer - reconciledVersion: - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: How many of the total number of components are ready - jsonPath: .status.annotations.readyComponentCount - name: Ready - type: string - - description: Whether or not the control plane installation is up to date and - ready to handle requests. - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - description: The configuration profiles applied to the configuration. - jsonPath: .status.appliedSpec.profiles - name: Profiles - type: string - - description: The actual current version of the control plane installation. - jsonPath: .status.chartVersion - name: Version - type: string - - description: The age of the object - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The image registry used as the base for all component images. - jsonPath: .status.appliedSpec.runtime.defaults.container.registry - name: Image Registry - priority: 1 - type: string - name: v2 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - addons: - properties: - 3scale: - properties: - backend: - properties: - cache_flush_interval: - format: int32 - type: integer - enable_cache: - type: boolean - policy_fail_closed: - type: boolean - type: object - client: - properties: - allow_insecure_connections: - type: boolean - timeout: - format: int32 - type: integer - type: object - enabled: - type: boolean - grpc: - properties: - max_conn_timeout: - format: int32 - type: integer - type: object - listen_addr: - format: int32 - type: integer - log_grpc: - type: boolean - log_json: - type: boolean - log_level: - type: string - metrics: - properties: - port: - format: int32 - type: integer - report: - type: boolean - type: object - system: - properties: - cache_max_size: - format: int64 - type: integer - cache_refresh_interval: - format: int32 - type: integer - cache_refresh_retries: - format: int32 - type: integer - cache_ttl: - format: int32 - type: integer - type: object - type: object - grafana: - properties: - address: - type: string - enabled: - type: boolean - install: - properties: - config: - properties: - env: - additionalProperties: - type: string - type: object - envSecrets: - additionalProperties: - type: string - type: object - type: object - persistence: - properties: - accessMode: - type: string - capacity: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - enabled: - type: boolean - storageClassName: - type: string - type: object - security: - properties: - enabled: - type: boolean - passphraseKey: - type: string - secretName: - type: string - usernameKey: - type: string - type: object - selfManaged: - type: boolean - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - type: object - type: object - jaeger: - properties: - install: - properties: - ingress: - properties: - enabled: - type: boolean - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - type: object - storage: - properties: - elasticsearch: - properties: - indexCleaner: - type: object - x-kubernetes-preserve-unknown-fields: true - nodeCount: - format: int32 - type: integer - redundancyPolicy: - type: string - storage: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - memory: - properties: - maxTraces: - format: int64 - type: integer - type: object - type: - type: string - type: object - type: object - name: - type: string - type: object - kiali: - properties: - enabled: - type: boolean - install: - properties: - dashboard: - properties: - enableGrafana: - type: boolean - enablePrometheus: - type: boolean - enableTracing: - type: boolean - viewOnly: - type: boolean - type: object - deployment: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - type: object - name: - type: string - type: object - prometheus: - properties: - address: - type: string - enabled: - type: boolean - install: - properties: - retention: - type: string - scrapeInterval: - type: string - selfManaged: - type: boolean - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - useTLS: - type: boolean - type: object - metricsExpiryDuration: - type: string - scrape: - type: boolean - type: object - stackdriver: - properties: - telemetry: - properties: - accessLogging: - properties: - enabled: - type: boolean - logWindowDuration: - type: string - type: object - auth: - properties: - apiKey: - type: string - appCredentials: - type: boolean - serviceAccountPath: - type: string - type: object - configOverride: - type: object - x-kubernetes-preserve-unknown-fields: true - enableContextGraph: - type: boolean - enableLogging: - type: boolean - enableMetrics: - type: boolean - enabled: - type: boolean - type: object - tracer: - properties: - debug: - type: boolean - maxNumberOfAnnotations: - format: int64 - type: integer - maxNumberOfAttributes: - format: int64 - type: integer - maxNumberOfMessageEvents: - format: int64 - type: integer - type: object - type: object - type: object - cluster: - properties: - meshExpansion: - properties: - enabled: - type: boolean - ilbGateway: - properties: - enabled: - type: boolean - namespace: - type: string - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - multiCluster: - properties: - enabled: - type: boolean - meshNetworks: - additionalProperties: - properties: - endpoints: - items: - properties: - fromCIDR: - type: string - fromRegistry: - type: string - type: object - type: array - gateways: - items: - properties: - address: - type: string - port: - format: int32 - type: integer - registryServiceName: - type: string - service: - type: string - type: object - type: array - type: object - type: object - type: object - name: - type: string - network: - type: string - type: object - gateways: - properties: - additionalEgress: - additionalProperties: - properties: - enabled: - type: boolean - namespace: - type: string - requestedNetworkView: - items: - type: string - type: array - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - additionalIngress: - additionalProperties: - properties: - enabled: - type: boolean - namespace: - type: string - routeConfig: - properties: - enabled: - type: boolean - type: object - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - sds: - properties: - enabled: - type: boolean - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - egress: - properties: - enabled: - type: boolean - namespace: - type: string - requestedNetworkView: - items: - type: string - type: array - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - enabled: - type: boolean - ingress: - properties: - enabled: - type: boolean - ingress: - type: boolean - meshExpansionPorts: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - namespace: - type: string - routeConfig: - properties: - enabled: - type: boolean - type: object - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - sds: - properties: - enabled: - type: boolean - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - openshiftRoute: - properties: - enabled: - type: boolean - type: object - type: object - general: - properties: - logging: - properties: - componentLevels: - additionalProperties: - type: string - type: object - logAsJSON: - type: boolean - type: object - validationMessages: - type: boolean - type: object - meshConfig: - properties: - discoverySelectors: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - extensionProviders: - items: - properties: - envoyExtAuthzGrpc: - properties: - failOpen: - type: boolean - includeRequestBodyInCheck: - properties: - allowPartialMessage: - type: boolean - maxRequestBytes: - format: int64 - type: integer - packAsBytes: - type: boolean - type: object - port: - format: int64 - type: integer - service: - type: string - statusOnError: - type: string - timeout: - type: string - required: - - port - - service - type: object - envoyExtAuthzHttp: - properties: - failOpen: - type: boolean - headersToDownstreamOnAllow: - items: - type: string - type: array - headersToDownstreamOnDeny: - items: - type: string - type: array - headersToUpstreamOnAllow: - items: - type: string - type: array - includeAdditionalHeadersInCheck: - additionalProperties: - type: string - type: object - includeRequestBodyInCheck: - properties: - allowPartialMessage: - type: boolean - maxRequestBytes: - format: int64 - type: integer - packAsBytes: - type: boolean - type: object - includeRequestHeadersInCheck: - items: - type: string - type: array - pathPrefix: - type: string - port: - format: int64 - type: integer - service: - type: string - statusOnError: - type: string - timeout: - type: string - required: - - port - - service - type: object - name: - type: string - prometheus: - type: object - required: - - name - type: object - type: array - type: object - mode: - enum: - - MultiTenant - - ClusterWide - type: string - policy: - properties: - mixer: - properties: - adapters: - properties: - kubernetesenv: - type: boolean - useAdapterCRDs: - type: boolean - type: object - enableChecks: - type: boolean - failOpen: - type: boolean - sessionAffinity: - type: boolean - type: object - remote: - properties: - address: - type: string - createService: - type: boolean - enableChecks: - type: boolean - failOpen: - type: boolean - type: object - type: - type: string - type: object - profiles: - items: - type: string - type: array - proxy: - properties: - accessLogging: - properties: - envoyService: - properties: - address: - type: string - enabled: - type: boolean - tcpKeepalive: - properties: - interval: - type: string - probes: - format: int32 - type: integer - time: - type: string - type: object - tlsSettings: - properties: - caCertificates: - type: string - clientCertificate: - type: string - mode: - type: string - privateKey: - type: string - sni: - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - file: - properties: - encoding: - type: string - format: - type: string - name: - type: string - type: object - type: object - adminPort: - format: int32 - type: integer - concurrency: - format: int32 - type: integer - envoyMetricsService: - properties: - address: - type: string - enabled: - type: boolean - tcpKeepalive: - properties: - interval: - type: string - probes: - format: int32 - type: integer - time: - type: string - type: object - tlsSettings: - properties: - caCertificates: - type: string - clientCertificate: - type: string - mode: - type: string - privateKey: - type: string - sni: - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - injection: - properties: - alwaysInjectSelector: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - autoInject: - type: boolean - injectedAnnotations: - additionalProperties: - type: string - type: object - neverInjectSelector: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - type: object - logging: - properties: - componentLevels: - additionalProperties: - type: string - type: object - level: - type: string - type: object - networking: - properties: - clusterDomain: - type: string - connectionTimeout: - type: string - dns: - properties: - refreshRate: - type: string - searchSuffixes: - items: - type: string - type: array - type: object - initialization: - properties: - initContainer: - properties: - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - type: - type: string - type: object - maxConnectionAge: - type: string - protocol: - properties: - autoDetect: - properties: - inbound: - type: boolean - outbound: - type: boolean - timeout: - type: string - type: object - type: object - trafficControl: - properties: - inbound: - properties: - excludedPorts: - items: - format: int32 - type: integer - type: array - includedPorts: - items: - type: string - type: array - interceptionMode: - type: string - type: object - outbound: - properties: - excludedIPRanges: - items: - type: string - type: array - excludedPorts: - items: - format: int32 - type: integer - type: array - includedIPRanges: - items: - type: string - type: array - policy: - type: string - type: object - type: object - type: object - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - readiness: - properties: - failureThreshold: - format: int32 - type: integer - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - rewriteApplicationProbes: - type: boolean - statusPort: - format: int32 - type: integer - type: object - type: object - type: object - runtime: - properties: - components: - additionalProperties: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - type: object - defaults: - properties: - container: - properties: - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - podDisruption: - properties: - enabled: - type: boolean - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - pod: - properties: - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - type: object - security: - properties: - certificateAuthority: - properties: - cert-manager: - properties: - address: - type: string - pilotSecretName: - type: string - rootCAConfigMapName: - type: string - type: object - custom: - properties: - address: - type: string - type: object - istiod: - properties: - privateKey: - properties: - rootCADir: - type: string - type: object - selfSigned: - properties: - checkPeriod: - type: string - enableJitter: - type: boolean - gracePeriod: - type: string - ttl: - type: string - type: object - type: - type: string - workloadCertTTLDefault: - type: string - workloadCertTTLMax: - type: string - type: object - type: - type: string - type: object - controlPlane: - properties: - certProvider: - type: string - mtls: - type: boolean - tls: - properties: - cipherSuites: - items: - type: string - type: array - ecdhCurves: - items: - type: string - type: array - maxProtocolVersion: - type: string - minProtocolVersion: - type: string - type: object - type: object - dataPlane: - properties: - automtls: - type: boolean - mtls: - type: boolean - type: object - identity: - properties: - thirdParty: - properties: - audience: - type: string - issuer: - type: string - type: object - type: - type: string - type: object - jwksResolverCA: - type: string - manageNetworkPolicy: - type: boolean - trust: - properties: - additionalDomains: - items: - type: string - type: array - domain: - type: string - type: object - type: object - techPreview: - type: object - x-kubernetes-preserve-unknown-fields: true - telemetry: - properties: - mixer: - properties: - adapters: - properties: - kubernetesenv: - type: boolean - stdio: - properties: - enabled: - type: boolean - outputAsJSON: - type: boolean - type: object - useAdapterCRDs: - type: boolean - type: object - batching: - properties: - maxEntries: - format: int32 - type: integer - maxTime: - type: string - type: object - loadshedding: - properties: - latencyThreshold: - type: string - mode: - type: string - type: object - sessionAffinity: - type: boolean - type: object - remote: - properties: - address: - type: string - batching: - properties: - maxEntries: - format: int32 - type: integer - maxTime: - type: string - type: object - createService: - type: boolean - type: object - type: - type: string - type: object - tracing: - properties: - sampling: - format: int32 - maximum: 10000 - minimum: 0 - type: integer - type: - type: string - type: object - version: - type: string - type: object - status: - properties: - annotations: - additionalProperties: - type: string - type: object - appliedSpec: - properties: - addons: - properties: - 3scale: - properties: - backend: - properties: - cache_flush_interval: - format: int32 - type: integer - enable_cache: - type: boolean - policy_fail_closed: - type: boolean - type: object - client: - properties: - allow_insecure_connections: - type: boolean - timeout: - format: int32 - type: integer - type: object - enabled: - type: boolean - grpc: - properties: - max_conn_timeout: - format: int32 - type: integer - type: object - listen_addr: - format: int32 - type: integer - log_grpc: - type: boolean - log_json: - type: boolean - log_level: - type: string - metrics: - properties: - port: - format: int32 - type: integer - report: - type: boolean - type: object - system: - properties: - cache_max_size: - format: int64 - type: integer - cache_refresh_interval: - format: int32 - type: integer - cache_refresh_retries: - format: int32 - type: integer - cache_ttl: - format: int32 - type: integer - type: object - type: object - grafana: - properties: - address: - type: string - enabled: - type: boolean - install: - properties: - config: - properties: - env: - additionalProperties: - type: string - type: object - envSecrets: - additionalProperties: - type: string - type: object - type: object - persistence: - properties: - accessMode: - type: string - capacity: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - enabled: - type: boolean - storageClassName: - type: string - type: object - security: - properties: - enabled: - type: boolean - passphraseKey: - type: string - secretName: - type: string - usernameKey: - type: string - type: object - selfManaged: - type: boolean - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - type: object - type: object - jaeger: - properties: - install: - properties: - ingress: - properties: - enabled: - type: boolean - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - type: object - storage: - properties: - elasticsearch: - properties: - indexCleaner: - type: object - x-kubernetes-preserve-unknown-fields: true - nodeCount: - format: int32 - type: integer - redundancyPolicy: - type: string - storage: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - memory: - properties: - maxTraces: - format: int64 - type: integer - type: object - type: - type: string - type: object - type: object - name: - type: string - type: object - kiali: - properties: - enabled: - type: boolean - install: - properties: - dashboard: - properties: - enableGrafana: - type: boolean - enablePrometheus: - type: boolean - enableTracing: - type: boolean - viewOnly: - type: boolean - type: object - deployment: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - type: object - name: - type: string - type: object - prometheus: - properties: - address: - type: string - enabled: - type: boolean - install: - properties: - retention: - type: string - scrapeInterval: - type: string - selfManaged: - type: boolean - service: - properties: - ingress: - properties: - contextPath: - type: string - enabled: - type: boolean - hosts: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - tls: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodePort: - format: int32 - type: integer - type: object - useTLS: - type: boolean - type: object - metricsExpiryDuration: - type: string - scrape: - type: boolean - type: object - stackdriver: - properties: - telemetry: - properties: - accessLogging: - properties: - enabled: - type: boolean - logWindowDuration: - type: string - type: object - auth: - properties: - apiKey: - type: string - appCredentials: - type: boolean - serviceAccountPath: - type: string - type: object - configOverride: - type: object - x-kubernetes-preserve-unknown-fields: true - enableContextGraph: - type: boolean - enableLogging: - type: boolean - enableMetrics: - type: boolean - enabled: - type: boolean - type: object - tracer: - properties: - debug: - type: boolean - maxNumberOfAnnotations: - format: int64 - type: integer - maxNumberOfAttributes: - format: int64 - type: integer - maxNumberOfMessageEvents: - format: int64 - type: integer - type: object - type: object - type: object - cluster: - properties: - meshExpansion: - properties: - enabled: - type: boolean - ilbGateway: - properties: - enabled: - type: boolean - namespace: - type: string - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - multiCluster: - properties: - enabled: - type: boolean - meshNetworks: - additionalProperties: - properties: - endpoints: - items: - properties: - fromCIDR: - type: string - fromRegistry: - type: string - type: object - type: array - gateways: - items: - properties: - address: - type: string - port: - format: int32 - type: integer - registryServiceName: - type: string - service: - type: string - type: object - type: array - type: object - type: object - type: object - name: - type: string - network: - type: string - type: object - gateways: - properties: - additionalEgress: - additionalProperties: - properties: - enabled: - type: boolean - namespace: - type: string - requestedNetworkView: - items: - type: string - type: array - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - additionalIngress: - additionalProperties: - properties: - enabled: - type: boolean - namespace: - type: string - routeConfig: - properties: - enabled: - type: boolean - type: object - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - sds: - properties: - enabled: - type: boolean - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - type: object - egress: - properties: - enabled: - type: boolean - namespace: - type: string - requestedNetworkView: - items: - type: string - type: array - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - enabled: - type: boolean - ingress: - properties: - enabled: - type: boolean - ingress: - type: boolean - meshExpansionPorts: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - namespace: - type: string - routeConfig: - properties: - enabled: - type: boolean - type: object - routerMode: - type: string - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - sds: - properties: - enabled: - type: boolean - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - appProtocol: - type: string - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - x-kubernetes-list-type: map - publishNotReadyAddresses: - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - topologyKeys: - items: - type: string - type: array - type: - type: string - type: object - volumes: - items: - properties: - volume: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - name: - type: string - optional: - type: boolean - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - type: object - volumeMount: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: object - type: array - type: object - openshiftRoute: - properties: - enabled: - type: boolean - type: object - type: object - general: - properties: - logging: - properties: - componentLevels: - additionalProperties: - type: string - type: object - logAsJSON: - type: boolean - type: object - validationMessages: - type: boolean - type: object - meshConfig: - properties: - discoverySelectors: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - extensionProviders: - items: - properties: - envoyExtAuthzGrpc: - properties: - failOpen: - type: boolean - includeRequestBodyInCheck: - properties: - allowPartialMessage: - type: boolean - maxRequestBytes: - format: int64 - type: integer - packAsBytes: - type: boolean - type: object - port: - format: int64 - type: integer - service: - type: string - statusOnError: - type: string - timeout: - type: string - required: - - port - - service - type: object - envoyExtAuthzHttp: - properties: - failOpen: - type: boolean - headersToDownstreamOnAllow: - items: - type: string - type: array - headersToDownstreamOnDeny: - items: - type: string - type: array - headersToUpstreamOnAllow: - items: - type: string - type: array - includeAdditionalHeadersInCheck: - additionalProperties: - type: string - type: object - includeRequestBodyInCheck: - properties: - allowPartialMessage: - type: boolean - maxRequestBytes: - format: int64 - type: integer - packAsBytes: - type: boolean - type: object - includeRequestHeadersInCheck: - items: - type: string - type: array - pathPrefix: - type: string - port: - format: int64 - type: integer - service: - type: string - statusOnError: - type: string - timeout: - type: string - required: - - port - - service - type: object - name: - type: string - prometheus: - type: object - required: - - name - type: object - type: array - type: object - mode: - enum: - - MultiTenant - - ClusterWide - type: string - policy: - properties: - mixer: - properties: - adapters: - properties: - kubernetesenv: - type: boolean - useAdapterCRDs: - type: boolean - type: object - enableChecks: - type: boolean - failOpen: - type: boolean - sessionAffinity: - type: boolean - type: object - remote: - properties: - address: - type: string - createService: - type: boolean - enableChecks: - type: boolean - failOpen: - type: boolean - type: object - type: - type: string - type: object - profiles: - items: - type: string - type: array - proxy: - properties: - accessLogging: - properties: - envoyService: - properties: - address: - type: string - enabled: - type: boolean - tcpKeepalive: - properties: - interval: - type: string - probes: - format: int32 - type: integer - time: - type: string - type: object - tlsSettings: - properties: - caCertificates: - type: string - clientCertificate: - type: string - mode: - type: string - privateKey: - type: string - sni: - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - file: - properties: - encoding: - type: string - format: - type: string - name: - type: string - type: object - type: object - adminPort: - format: int32 - type: integer - concurrency: - format: int32 - type: integer - envoyMetricsService: - properties: - address: - type: string - enabled: - type: boolean - tcpKeepalive: - properties: - interval: - type: string - probes: - format: int32 - type: integer - time: - type: string - type: object - tlsSettings: - properties: - caCertificates: - type: string - clientCertificate: - type: string - mode: - type: string - privateKey: - type: string - sni: - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - injection: - properties: - alwaysInjectSelector: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - autoInject: - type: boolean - injectedAnnotations: - additionalProperties: - type: string - type: object - neverInjectSelector: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - type: object - logging: - properties: - componentLevels: - additionalProperties: - type: string - type: object - level: - type: string - type: object - networking: - properties: - clusterDomain: - type: string - connectionTimeout: - type: string - dns: - properties: - refreshRate: - type: string - searchSuffixes: - items: - type: string - type: array - type: object - initialization: - properties: - initContainer: - properties: - runtime: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - type: object - type: - type: string - type: object - maxConnectionAge: - type: string - protocol: - properties: - autoDetect: - properties: - inbound: - type: boolean - outbound: - type: boolean - timeout: - type: string - type: object - type: object - trafficControl: - properties: - inbound: - properties: - excludedPorts: - items: - format: int32 - type: integer - type: array - includedPorts: - items: - type: string - type: array - interceptionMode: - type: string - type: object - outbound: - properties: - excludedIPRanges: - items: - type: string - type: array - excludedPorts: - items: - format: int32 - type: integer - type: array - includedIPRanges: - items: - type: string - type: array - policy: - type: string - type: object - type: object - type: object - runtime: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - readiness: - properties: - failureThreshold: - format: int32 - type: integer - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - rewriteApplicationProbes: - type: boolean - statusPort: - format: int32 - type: integer - type: object - type: object - type: object - runtime: - properties: - components: - additionalProperties: - properties: - container: - properties: - env: - additionalProperties: - type: string - type: object - imageName: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - autoScaling: - properties: - enabled: - type: boolean - maxReplicas: - format: int32 - type: integer - minReplicas: - format: int32 - type: integer - targetCPUUtilizationPercentage: - format: int32 - type: integer - type: object - replicas: - format: int32 - type: integer - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - type: object - pod: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringScheduling: - items: - properties: - key: - type: string - operator: - type: string - topologyKey: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - type: object - defaults: - properties: - container: - properties: - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - imageRegistry: - type: string - imageTag: - type: string - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - type: object - deployment: - properties: - podDisruption: - properties: - enabled: - type: boolean - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - pod: - properties: - nodeSelector: - additionalProperties: - type: string - type: object - priorityClassName: - type: string - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - type: object - type: object - type: object - security: - properties: - certificateAuthority: - properties: - cert-manager: - properties: - address: - type: string - pilotSecretName: - type: string - rootCAConfigMapName: - type: string - type: object - custom: - properties: - address: - type: string - type: object - istiod: - properties: - privateKey: - properties: - rootCADir: - type: string - type: object - selfSigned: - properties: - checkPeriod: - type: string - enableJitter: - type: boolean - gracePeriod: - type: string - ttl: - type: string - type: object - type: - type: string - workloadCertTTLDefault: - type: string - workloadCertTTLMax: - type: string - type: object - type: - type: string - type: object - controlPlane: - properties: - certProvider: - type: string - mtls: - type: boolean - tls: - properties: - cipherSuites: - items: - type: string - type: array - ecdhCurves: - items: - type: string - type: array - maxProtocolVersion: - type: string - minProtocolVersion: - type: string - type: object - type: object - dataPlane: - properties: - automtls: - type: boolean - mtls: - type: boolean - type: object - identity: - properties: - thirdParty: - properties: - audience: - type: string - issuer: - type: string - type: object - type: - type: string - type: object - jwksResolverCA: - type: string - manageNetworkPolicy: - type: boolean - trust: - properties: - additionalDomains: - items: - type: string - type: array - domain: - type: string - type: object - type: object - techPreview: - type: object - x-kubernetes-preserve-unknown-fields: true - telemetry: - properties: - mixer: - properties: - adapters: - properties: - kubernetesenv: - type: boolean - stdio: - properties: - enabled: - type: boolean - outputAsJSON: - type: boolean - type: object - useAdapterCRDs: - type: boolean - type: object - batching: - properties: - maxEntries: - format: int32 - type: integer - maxTime: - type: string - type: object - loadshedding: - properties: - latencyThreshold: - type: string - mode: - type: string - type: object - sessionAffinity: - type: boolean - type: object - remote: - properties: - address: - type: string - batching: - properties: - maxEntries: - format: int32 - type: integer - maxTime: - type: string - type: object - createService: - type: boolean - type: object - type: - type: string - type: object - tracing: - properties: - sampling: - format: int32 - maximum: 10000 - minimum: 0 - type: integer - type: - type: string - type: object - version: - type: string - type: object - appliedValues: - properties: - istio: - type: object - x-kubernetes-preserve-unknown-fields: true - networkType: - type: string - profiles: - items: - type: string - type: array - template: - type: string - threeScale: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - chartVersion: - type: string - components: - items: - properties: - children: - items: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - resource: - type: string - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - observedGeneration: - format: int64 - type: integer - operatorVersion: - type: string - readiness: - properties: - components: - additionalProperties: - items: - type: string - type: array - type: object - type: object - required: - - readiness - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - categories: - - maistra-io - kind: ServiceMeshControlPlane - listKind: ServiceMeshControlPlaneList - plural: servicemeshcontrolplanes - shortNames: - - smcp - singular: servicemeshcontrolplane - conditions: - - lastTransitionTime: "2024-01-25T11:08:50Z" - message: no conflicts found - reason: NoConflicts - status: "True" - type: NamesAccepted - - lastTransitionTime: "2024-01-25T11:08:50Z" - message: the initial names have been accepted - reason: InitialNamesAccepted - status: "True" - type: Established - storedVersions: - - v2 From 54089831d701776c6b949beed7fbb7ed7099ec20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:06:27 -0600 Subject: [PATCH 16/28] Feedback: remove auth-refs ConfigMap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- pkg/feature/servicemesh/resources.go | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/pkg/feature/servicemesh/resources.go b/pkg/feature/servicemesh/resources.go index f35f40ec020..4d2b64eb147 100644 --- a/pkg/feature/servicemesh/resources.go +++ b/pkg/feature/servicemesh/resources.go @@ -1,8 +1,6 @@ package servicemesh import ( - "strings" - "github.com/pkg/errors" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" @@ -18,13 +16,5 @@ func ConfigMaps(feature *feature.Feature) error { return errors.WithStack(err) } - authorinoConfig := feature.Spec.Auth.Authorino - if err := feature.CreateConfigMap("auth-refs", - map[string]string{ - "AUTH_AUDIENCE": strings.Join(*authorinoConfig.Audiences, ","), - }); err != nil { - return errors.WithStack(err) - } - return nil } From e94e78f2845d72d2f1fcc62f09a8c93fd6bc459e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:06:51 -0600 Subject: [PATCH 17/28] Add missing role.yaml changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- config/rbac/role.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index d8dedf1ccae..648d1af1b3d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -675,6 +675,15 @@ rules: - patch - update - watch +- apiGroups: + - features.opendatahub.io + resources: + - featuretrackers/status + verbs: + - delete + - get + - patch + - update - apiGroups: - image.openshift.io resources: From 07c2e70fbd3525b7ff7da54212b90cb264d5b7b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 1 Feb 2024 13:04:22 -0600 Subject: [PATCH 18/28] Go back to installing Authorino on its own namespace MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- ...ialization.opendatahub.io_dscinitializations.yaml | 6 ++++++ controllers/dscinitialization/servicemesh_setup.go | 4 ++++ infrastructure/v1/servicemesh_types.go | 4 ++++ pkg/feature/builder.go | 3 ++- pkg/feature/servicemesh/conditions.go | 10 ++++++++++ pkg/feature/servicemesh/loaders.go | 12 ++++++++++++ .../templates/servicemesh/authorino/auth-smm.tmpl | 2 +- .../authorino/base/operator-cluster-wide-no-tls.tmpl | 2 +- .../authorino/deployment.injection.patch.tmpl | 2 +- .../authorino/mesh-authz-ext-provider.patch.tmpl | 2 +- pkg/feature/types.go | 3 ++- 11 files changed, 44 insertions(+), 6 deletions(-) diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index d95195c4ff8..c40785e11b4 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -111,6 +111,12 @@ spec: type: string type: array type: object + namespace: + description: Namespace where it is deployed. If not provided, + the default is to use '-auth-provider' suffix on the ApplicationsNamespace + of the DSCI (e.g. opendatahub-auth-provider). The '-applications' + suffix is removed from ApplicationsNamespace. + type: string type: object controlPlane: description: ControlPlane holds configuration of Service Mesh diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index b1a0e8e9ab0..e76f3678768 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -123,9 +123,13 @@ func configureServiceMeshFeatures() feature.DefinedFeatures { PreConditions( feature.EnsureCRDIsInstalled("authconfigs.authorino.kuadrant.io"), servicemesh.EnsureServiceMeshInstalled, + servicemesh.EnsureAuthNamespaceExists, ). PostConditions( feature.WaitForPodsToBeReady(serviceMeshSpec.ControlPlane.Namespace), + func(f *feature.Feature) error { + return feature.WaitForPodsToBeReady(f.Spec.AuthorinoConfigs.Namespace)(f) + }, func(f *feature.Feature) error { // We do not have the control over deployment resource creation. // It is created by Authorino operator using Authorino CR diff --git a/infrastructure/v1/servicemesh_types.go b/infrastructure/v1/servicemesh_types.go index f786f501710..408ca4bfe69 100644 --- a/infrastructure/v1/servicemesh_types.go +++ b/infrastructure/v1/servicemesh_types.go @@ -43,6 +43,10 @@ type IngressGatewaySpec struct { } type AuthSpec struct { + // Namespace where it is deployed. If not provided, the default is to + // use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI (e.g. opendatahub-auth-provider). + // The '-applications' suffix is removed from ApplicationsNamespace. + Namespace string `json:"namespace,omitempty"` // Authorino holds configuration of Authorino service used as external authorization provider. Authorino AuthorinoSpec `json:"authorino,omitempty"` } diff --git a/pkg/feature/builder.go b/pkg/feature/builder.go index 2bb3bd4cfdc..e31af2022ef 100644 --- a/pkg/feature/builder.go +++ b/pkg/feature/builder.go @@ -57,7 +57,8 @@ func (fo *featureSource) From(source featurev1.Source) *featureBuilder { Source: &source, AppNamespace: fo.spec.ApplicationsNamespace, AuthorinoConfigs: AuthorinoConfigs{ - Name: "authorino-mesh-authz-provider", + Namespace: fo.spec.ServiceMesh.Auth.Namespace, + Name: "authorino-mesh-authz-provider", }, } diff --git a/pkg/feature/servicemesh/conditions.go b/pkg/feature/servicemesh/conditions.go index e352c9545a7..8b159998c33 100644 --- a/pkg/feature/servicemesh/conditions.go +++ b/pkg/feature/servicemesh/conditions.go @@ -12,6 +12,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/dynamic" + "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/gvr" ) @@ -21,6 +22,15 @@ const ( duration = 5 * time.Minute ) +func EnsureAuthNamespaceExists(f *feature.Feature) error { + if resolveNsErr := ResolveAuthNamespace(f); resolveNsErr != nil { + return resolveNsErr + } + + _, err := cluster.CreateNamespace(f.Client, f.Spec.AuthorinoConfigs.Namespace) + return err +} + func EnsureServiceMeshOperatorInstalled(f *feature.Feature) error { if err := feature.EnsureCRDIsInstalled("servicemeshcontrolplanes.maistra.io")(f); err != nil { f.Log.Info("Failed to find the pre-requisite Service Mesh Control Plane CRD, please ensure Service Mesh Operator is installed.") diff --git a/pkg/feature/servicemesh/loaders.go b/pkg/feature/servicemesh/loaders.go index 9eabf96c2ef..90d1777308e 100644 --- a/pkg/feature/servicemesh/loaders.go +++ b/pkg/feature/servicemesh/loaders.go @@ -1,6 +1,8 @@ package servicemesh import ( + "strings" + "github.com/pkg/errors" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster" @@ -18,3 +20,13 @@ func ClusterDetails(f *feature.Feature) error { return nil } + +func ResolveAuthNamespace(f *feature.Feature) error { + dsciAuthNamespace := strings.TrimSpace(f.Spec.AuthorinoConfigs.Namespace) + + if len(dsciAuthNamespace) == 0 { + f.Spec.AuthorinoConfigs.Namespace = strings.TrimSuffix(f.Spec.AppNamespace, "-applications") + "-auth-provider" + } + + return nil +} diff --git a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl index 7d6f0736b32..f5075b5640b 100644 --- a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl @@ -2,7 +2,7 @@ apiVersion: maistra.io/v1 kind: ServiceMeshMember metadata: name: default - namespace: {{ .AppNamespace }} + namespace: {{ .AuthorinoConfigs.Namespace }} spec: controlPlaneRef: namespace: {{ .ControlPlane.Namespace }} diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 3d1b09aa5d1..69b232136da 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -2,7 +2,7 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .AppNamespace }} + namespace: {{ .AuthorinoConfigs.Namespace }} spec: authConfigLabelSelectors: security.opendatahub.io/authorization-group=default clusterWide: true diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl index 8a56aeb4630..e75e3f80ead 100644 --- a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .AppNamespace }} + namespace: {{ .AuthorinoConfigs.Namespace }} spec: template: metadata: diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index ee23fff3d63..a7c03b775b0 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -9,5 +9,5 @@ spec: extensionProviders: - name: {{ .AppNamespace }}-odh-auth-provider envoyExtAuthzGrpc: - service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .AppNamespace }}.svc.cluster.local + service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .AuthorinoConfigs.Namespace }}.svc.cluster.local port: 50051 diff --git a/pkg/feature/types.go b/pkg/feature/types.go index afeb296863f..a2a2f96106a 100644 --- a/pkg/feature/types.go +++ b/pkg/feature/types.go @@ -30,7 +30,8 @@ type OAuth struct { } type AuthorinoConfigs struct { - Name string + Namespace string + Name string } func ReplaceChar(s string, oldChar, newChar string) string { From 99dd03084b5af3bbf81bba01941671ca7ace3dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Sun, 4 Feb 2024 22:11:03 -0600 Subject: [PATCH 19/28] Feedback: Add clean-up for KServe/OSSM-auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/kserve.go | 6 +++++- components/kserve/servicemesh_setup.go | 13 ++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/components/kserve/kserve.go b/components/kserve/kserve.go index 4c0992c9129..6019f3f8cb5 100644 --- a/components/kserve/kserve.go +++ b/components/kserve/kserve.go @@ -168,7 +168,11 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC } func (k *Kserve) Cleanup(_ client.Client, instance *dsciv1.DSCInitializationSpec) error { - return k.removeServerlessFeatures(instance) + if removeServerlessErr := k.removeServerlessFeatures(instance); removeServerlessErr != nil { + return removeServerlessErr + } + + return k.removeServiceMeshConfigurations(instance) } func (k *Kserve) configureServerless(instance *dsciv1.DSCInitializationSpec) error { diff --git a/components/kserve/servicemesh_setup.go b/components/kserve/servicemesh_setup.go index bf01c91b959..d46716efd79 100644 --- a/components/kserve/servicemesh_setup.go +++ b/components/kserve/servicemesh_setup.go @@ -11,13 +11,20 @@ import ( ) func (k *Kserve) configureServiceMesh(dscispec *dsciv1.DSCInitializationSpec) error { - if dscispec.ServiceMesh.ManagementState != operatorv1.Managed || k.GetManagementState() != operatorv1.Managed { + if dscispec.ServiceMesh.ManagementState == operatorv1.Managed && k.GetManagementState() == operatorv1.Managed { + serviceMeshInitializer := feature.ComponentFeaturesHandler(k, dscispec, k.defineServiceMeshFeatures()) + return serviceMeshInitializer.Apply() + } + if dscispec.ServiceMesh.ManagementState == operatorv1.Unmanaged && k.GetManagementState() == operatorv1.Managed { return nil } - serviceMeshInitializer := feature.ComponentFeaturesHandler(k, dscispec, k.defineServiceMeshFeatures()) + return k.removeServiceMeshConfigurations(dscispec) +} - return serviceMeshInitializer.Apply() +func (k *Kserve) removeServiceMeshConfigurations(dscispec *dsciv1.DSCInitializationSpec) error { + serviceMeshInitializer := feature.ComponentFeaturesHandler(k, dscispec, k.defineServiceMeshFeatures()) + return serviceMeshInitializer.Delete() } func (k *Kserve) defineServiceMeshFeatures() feature.FeaturesProvider { From 773cef984bdcd02cfe3ec03c303f6edfb10794f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Sun, 4 Feb 2024 22:50:56 -0600 Subject: [PATCH 20/28] Feedback: Simplify namings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- ...ion.opendatahub.io_dscinitializations.yaml | 33 ++++++++----------- .../dscinitialization/servicemesh_setup.go | 2 +- infrastructure/v1/servicemesh_types.go | 8 +---- infrastructure/v1/zz_generated.deepcopy.go | 22 ++----------- pkg/feature/builder.go | 13 +++----- pkg/feature/servicemesh/conditions.go | 2 +- pkg/feature/servicemesh/loaders.go | 4 +-- .../servicemesh/authorino/auth-smm.tmpl | 2 +- .../base/operator-cluster-wide-no-tls.tmpl | 4 +-- .../authorino/deployment.injection.patch.tmpl | 4 +-- .../mesh-authz-ext-provider.patch.tmpl | 4 +-- pkg/feature/types.go | 7 +--- 12 files changed, 34 insertions(+), 71 deletions(-) diff --git a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml index c40785e11b4..eef475aeacf 100644 --- a/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -93,29 +93,22 @@ spec: description: Auth holds configuration of authentication and authorization services used by Service Mesh in Opendatahub. properties: - authorino: - description: Authorino holds configuration of Authorino service - used as external authorization provider. - properties: - audiences: - default: - - https://kubernetes.default.svc - description: Audiences is a list of the identifiers that - the resource server presented with the token identifies - as. Audience-aware token authenticators will verify - that the token was intended for at least one of the - audiences in this list. If no audiences are provided, - the audience will default to the audience of the Kubernetes - apiserver (kubernetes.default.svc). - items: - type: string - type: array - type: object + audiences: + default: + - https://kubernetes.default.svc + description: Audiences is a list of the identifiers that the + resource server presented with the token identifies as. + Audience-aware token authenticators will verify that the + token was intended for at least one of the audiences in + this list. If no audiences are provided, the audience will + default to the audience of the Kubernetes apiserver (kubernetes.default.svc). + items: + type: string + type: array namespace: description: Namespace where it is deployed. If not provided, the default is to use '-auth-provider' suffix on the ApplicationsNamespace - of the DSCI (e.g. opendatahub-auth-provider). The '-applications' - suffix is removed from ApplicationsNamespace. + of the DSCI. type: string type: object controlPlane: diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index 780c300b5b0..82136470c16 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -110,7 +110,7 @@ func configureServiceMeshFeatures() feature.FeaturesProvider { PostConditions( feature.WaitForPodsToBeReady(serviceMeshSpec.ControlPlane.Namespace), func(f *feature.Feature) error { - return feature.WaitForPodsToBeReady(f.Spec.AuthorinoConfigs.Namespace)(f) + return feature.WaitForPodsToBeReady(f.Spec.Auth.Namespace)(f) }, func(f *feature.Feature) error { // We do not have the control over deployment resource creation. diff --git a/infrastructure/v1/servicemesh_types.go b/infrastructure/v1/servicemesh_types.go index 408ca4bfe69..8ae7e743645 100644 --- a/infrastructure/v1/servicemesh_types.go +++ b/infrastructure/v1/servicemesh_types.go @@ -44,14 +44,8 @@ type IngressGatewaySpec struct { type AuthSpec struct { // Namespace where it is deployed. If not provided, the default is to - // use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI (e.g. opendatahub-auth-provider). - // The '-applications' suffix is removed from ApplicationsNamespace. + // use '-auth-provider' suffix on the ApplicationsNamespace of the DSCI. Namespace string `json:"namespace,omitempty"` - // Authorino holds configuration of Authorino service used as external authorization provider. - Authorino AuthorinoSpec `json:"authorino,omitempty"` -} - -type AuthorinoSpec struct { // Audiences is a list of the identifiers that the resource server presented // with the token identifies as. Audience-aware token authenticators will verify // that the token was intended for at least one of the audiences in this list. diff --git a/infrastructure/v1/zz_generated.deepcopy.go b/infrastructure/v1/zz_generated.deepcopy.go index 6420779aeec..b84a224094f 100644 --- a/infrastructure/v1/zz_generated.deepcopy.go +++ b/infrastructure/v1/zz_generated.deepcopy.go @@ -25,22 +25,6 @@ import () // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthSpec) DeepCopyInto(out *AuthSpec) { - *out = *in - in.Authorino.DeepCopyInto(&out.Authorino) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSpec. -func (in *AuthSpec) DeepCopy() *AuthSpec { - if in == nil { - return nil - } - out := new(AuthSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuthorinoSpec) DeepCopyInto(out *AuthorinoSpec) { *out = *in if in.Audiences != nil { in, out := &in.Audiences, &out.Audiences @@ -53,12 +37,12 @@ func (in *AuthorinoSpec) DeepCopyInto(out *AuthorinoSpec) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorinoSpec. -func (in *AuthorinoSpec) DeepCopy() *AuthorinoSpec { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSpec. +func (in *AuthSpec) DeepCopy() *AuthSpec { if in == nil { return nil } - out := new(AuthorinoSpec) + out := new(AuthSpec) in.DeepCopyInto(out) return out } diff --git a/pkg/feature/builder.go b/pkg/feature/builder.go index c2a3664727d..1e4dd2b3aaf 100644 --- a/pkg/feature/builder.go +++ b/pkg/feature/builder.go @@ -40,14 +40,11 @@ type usingFeaturesHandler struct { func (u *usingFeaturesHandler) For(featuresHandler *FeaturesHandler) *featureBuilder { createSpec := func(f *Feature) error { f.Spec = &Spec{ - ServiceMeshSpec: &featuresHandler.DSCInitializationSpec.ServiceMesh, - Serving: &infrav1.ServingSpec{}, - Source: &featuresHandler.source, - AppNamespace: featuresHandler.DSCInitializationSpec.ApplicationsNamespace, - AuthorinoConfigs: AuthorinoConfigs{ - Namespace: featuresHandler.DSCInitializationSpec.ServiceMesh.Auth.Namespace, - Name: "authorino-mesh-authz-provider", - }, + ServiceMeshSpec: &featuresHandler.DSCInitializationSpec.ServiceMesh, + Serving: &infrav1.ServingSpec{}, + Source: &featuresHandler.source, + AppNamespace: featuresHandler.DSCInitializationSpec.ApplicationsNamespace, + AuthProviderName: "authorino", } return nil diff --git a/pkg/feature/servicemesh/conditions.go b/pkg/feature/servicemesh/conditions.go index 8b159998c33..439b86cc3c7 100644 --- a/pkg/feature/servicemesh/conditions.go +++ b/pkg/feature/servicemesh/conditions.go @@ -27,7 +27,7 @@ func EnsureAuthNamespaceExists(f *feature.Feature) error { return resolveNsErr } - _, err := cluster.CreateNamespace(f.Client, f.Spec.AuthorinoConfigs.Namespace) + _, err := cluster.CreateNamespace(f.Client, f.Spec.Auth.Namespace) return err } diff --git a/pkg/feature/servicemesh/loaders.go b/pkg/feature/servicemesh/loaders.go index 90d1777308e..e9252c6ec67 100644 --- a/pkg/feature/servicemesh/loaders.go +++ b/pkg/feature/servicemesh/loaders.go @@ -22,10 +22,10 @@ func ClusterDetails(f *feature.Feature) error { } func ResolveAuthNamespace(f *feature.Feature) error { - dsciAuthNamespace := strings.TrimSpace(f.Spec.AuthorinoConfigs.Namespace) + dsciAuthNamespace := strings.TrimSpace(f.Spec.Auth.Namespace) if len(dsciAuthNamespace) == 0 { - f.Spec.AuthorinoConfigs.Namespace = strings.TrimSuffix(f.Spec.AppNamespace, "-applications") + "-auth-provider" + f.Spec.Auth.Namespace = strings.TrimSuffix(f.Spec.AppNamespace, "-applications") + "-auth-provider" } return nil diff --git a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl index f5075b5640b..6b0aa06aa82 100644 --- a/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/auth-smm.tmpl @@ -2,7 +2,7 @@ apiVersion: maistra.io/v1 kind: ServiceMeshMember metadata: name: default - namespace: {{ .AuthorinoConfigs.Namespace }} + namespace: {{ .Auth.Namespace }} spec: controlPlaneRef: namespace: {{ .ControlPlane.Namespace }} diff --git a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl index 69b232136da..5624128f904 100644 --- a/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/base/operator-cluster-wide-no-tls.tmpl @@ -1,8 +1,8 @@ apiVersion: operator.authorino.kuadrant.io/v1beta1 kind: Authorino metadata: - name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .AuthorinoConfigs.Namespace }} + name: {{ .AuthProviderName }} + namespace: {{ .Auth.Namespace }} spec: authConfigLabelSelectors: security.opendatahub.io/authorization-group=default clusterWide: true diff --git a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl index e75e3f80ead..7040f76da79 100644 --- a/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/deployment.injection.patch.tmpl @@ -1,8 +1,8 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .AuthorinoConfigs.Name }} - namespace: {{ .AuthorinoConfigs.Namespace }} + name: {{ .AuthProviderName }} + namespace: {{ .Auth.Namespace }} spec: template: metadata: diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index a7c03b775b0..2dea63bf14d 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -7,7 +7,7 @@ spec: techPreview: meshConfig: extensionProviders: - - name: {{ .AppNamespace }}-odh-auth-provider + - name: {{ .AppNamespace }}-auth-provider envoyExtAuthzGrpc: - service: {{ .AuthorinoConfigs.Name }}-authorino-authorization.{{ .AuthorinoConfigs.Namespace }}.svc.cluster.local + service: {{ .AuthProviderName }}-authorization.{{ .Auth.Namespace }}.svc.cluster.local port: 50051 diff --git a/pkg/feature/types.go b/pkg/feature/types.go index a2a2f96106a..2c1100c59bb 100644 --- a/pkg/feature/types.go +++ b/pkg/feature/types.go @@ -10,7 +10,7 @@ import ( type Spec struct { *infrav1.ServiceMeshSpec Serving *infrav1.ServingSpec - AuthorinoConfigs AuthorinoConfigs + AuthProviderName string OAuth OAuth AppNamespace string Domain string @@ -29,11 +29,6 @@ type OAuth struct { Hmac string } -type AuthorinoConfigs struct { - Namespace string - Name string -} - func ReplaceChar(s string, oldChar, newChar string) string { return strings.ReplaceAll(s, oldChar, newChar) } From faede78d1d8669914fa556058ad804bcdc108c89 Mon Sep 17 00:00:00 2001 From: Aslak Knutsen Date: Mon, 5 Feb 2024 17:47:02 +0100 Subject: [PATCH 21/28] fix: add auth-refs cm --- pkg/feature/servicemesh/resources.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/feature/servicemesh/resources.go b/pkg/feature/servicemesh/resources.go index 4d2b64eb147..deeed45d681 100644 --- a/pkg/feature/servicemesh/resources.go +++ b/pkg/feature/servicemesh/resources.go @@ -1,6 +1,8 @@ package servicemesh import ( + "strings" + "github.com/pkg/errors" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" @@ -16,5 +18,16 @@ func ConfigMaps(feature *feature.Feature) error { return errors.WithStack(err) } + audiences := feature.Spec.Auth.Audiences + audiencesList := "" + if audiences != nil && len(*audiences) > 0 { + audiencesList = strings.Join(*audiences, ",") + } + if err := feature.CreateConfigMap("auth-refs", + map[string]string{ + "AUTH_AUDIENCE": audiencesList, + }); err != nil { + return errors.WithStack(err) + } return nil } From a06b1fd74e22fd8ad69bd7e49509480c5f6df458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Wed, 14 Feb 2024 15:11:55 -0600 Subject: [PATCH 22/28] Feedback: adjust labels and a log message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- pkg/feature/servicemesh/cleanup.go | 2 +- .../templates/servicemesh/kserve/activator-envoyfilter.tmpl | 5 +++-- .../templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl | 4 ++++ .../kserve/kserve-predictor-authorizationpolicy.tmpl | 3 +++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/feature/servicemesh/cleanup.go b/pkg/feature/servicemesh/cleanup.go index 51c222d90fa..f58f903a002 100644 --- a/pkg/feature/servicemesh/cleanup.go +++ b/pkg/feature/servicemesh/cleanup.go @@ -38,7 +38,7 @@ func RemoveExtensionProvider(f *feature.Feature) error { for i, v := range extensionProviders { extensionProvider, ok := v.(map[string]interface{}) if !ok { - log.Info("WARN: Unexpected type for extensionProvider") + log.Info("WARN: Unexpected type for extensionProvider will not be removed") continue } diff --git a/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl b/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl index 5a6286b3d0a..bd47b454b61 100644 --- a/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/activator-envoyfilter.tmpl @@ -1,10 +1,11 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - labels: - app: odh name: activator-host-header namespace: {{ .ControlPlane.Namespace }} + labels: + app.opendatahub.io/kserve: "true" + app.kubernetes.io/part-of: kserve spec: priority: 20 workloadSelector: diff --git a/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl index 0fd71911c68..b852d2f1e2e 100644 --- a/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/envoy-oauth-temp-fix.tmpl @@ -5,6 +5,8 @@ metadata: namespace: {{ .ControlPlane.Namespace }} labels: opendatahub.io/related-to: OSSM-4873 + app.opendatahub.io/kserve: "true" + app.kubernetes.io/part-of: kserve spec: workloadSelector: labels: @@ -43,6 +45,8 @@ metadata: namespace: {{ .ControlPlane.Namespace }} labels: opendatahub.io/related-to: OSSM-4873 + app.opendatahub.io/kserve: "true" + app.kubernetes.io/part-of: kserve spec: workloadSelector: labels: diff --git a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl index c0e87554f50..a79057f26a9 100644 --- a/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl +++ b/pkg/feature/templates/servicemesh/kserve/kserve-predictor-authorizationpolicy.tmpl @@ -3,6 +3,9 @@ kind: AuthorizationPolicy metadata: name: kserve-predictor namespace: {{ .ControlPlane.Namespace }} + labels: + app.opendatahub.io/kserve: "true" + app.kubernetes.io/part-of: kserve spec: action: CUSTOM provider: From fae0994efd3d51e1b4303187c3b638cd1caf26d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Wed, 14 Feb 2024 15:16:21 -0600 Subject: [PATCH 23/28] Bugfix: Extension provider terminating with error when SMCP is gone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- pkg/feature/servicemesh/cleanup.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/feature/servicemesh/cleanup.go b/pkg/feature/servicemesh/cleanup.go index f58f903a002..867d989d659 100644 --- a/pkg/feature/servicemesh/cleanup.go +++ b/pkg/feature/servicemesh/cleanup.go @@ -4,6 +4,7 @@ import ( "context" "fmt" + k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ctrlLog "sigs.k8s.io/controller-runtime/pkg/log" @@ -23,6 +24,11 @@ func RemoveExtensionProvider(f *feature.Feature) error { Namespace(mesh.Namespace). Get(context.TODO(), mesh.Name, metav1.GetOptions{}) if err != nil { + if k8serrors.IsNotFound(err) { + // Since the configuration of the extension provider is a patch, it could happen that + // the SMCP is already gone, and there will be nothing to unpatch. + return nil + } return err } From b5fc2b295dd79e10e34839454f3078f4e59d423f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Wed, 14 Feb 2024 15:33:21 -0600 Subject: [PATCH 24/28] Fix: add missing RBAC for ConfigMaps func MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- config/rbac/role.yaml | 1 + controllers/datasciencecluster/kubebuilder_rbac.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index b1272f021d9..de57e6f0388 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -358,6 +358,7 @@ rules: - get - list - patch + - update - watch - apiGroups: - "" diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go index b352f572e9c..99b97b47858 100644 --- a/controllers/datasciencecluster/kubebuilder_rbac.go +++ b/controllers/datasciencecluster/kubebuilder_rbac.go @@ -196,7 +196,7 @@ package datasciencecluster // +kubebuilder:rbac:groups="core",resources=endpoints,verbs=watch;list;get;create;update;delete // +kubebuilder:rbac:groups="core",resources=configmaps/status,verbs=get;update;patch;delete -// +kubebuilder:rbac:groups="core",resources=configmaps,verbs=get;create;watch;patch;delete;list +// +kubebuilder:rbac:groups="core",resources=configmaps,verbs=get;create;update;watch;patch;delete;list // +kubebuilder:rbac:groups="core",resources=clusterversions,verbs=watch;list // +kubebuilder:rbac:groups="config.openshift.io",resources=clusterversions,verbs=watch;list From 2d648448c391f423fd3fa742a09bb5416b7c0fd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 15 Feb 2024 18:06:30 -0600 Subject: [PATCH 25/28] Fix: Run `make bundle` and commit resulting changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- ...er.opendatahub.io_datascienceclusters.yaml | 40 +++++++++---------- ...ion.opendatahub.io_dscinitializations.yaml | 22 ++++++++++ ...atahub-operator.clusterserviceversion.yaml | 27 ++++++++++++- 3 files changed, 68 insertions(+), 21 deletions(-) diff --git a/bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml b/bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml index 3ec5fc3e449..700e41d60b1 100644 --- a/bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml +++ b/bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml @@ -62,12 +62,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -105,12 +105,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -149,12 +149,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -195,12 +195,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -298,12 +298,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -342,12 +342,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -385,12 +385,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -428,12 +428,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -471,12 +471,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array @@ -514,12 +514,12 @@ spec: description: 'sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, - `default`, `odh` etc' + `default`, `odh` etc.' type: string uri: default: "" description: uri is the URI point to a git repo - with tag/branch. e.g https://github.com/org/repo/tarball/ + with tag/branch. e.g. https://github.com/org/repo/tarball/ type: string type: object type: array diff --git a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml index a37df4ad4a2..1254aaff787 100644 --- a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml +++ b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml @@ -88,6 +88,28 @@ spec: user experience; e.g. it provides unified authentication giving a Single Sign On experience. properties: + auth: + description: Auth holds configuration of authentication and authorization + services used by Service Mesh in Opendatahub. + properties: + audiences: + default: + - https://kubernetes.default.svc + description: Audiences is a list of the identifiers that the + resource server presented with the token identifies as. + Audience-aware token authenticators will verify that the + token was intended for at least one of the audiences in + this list. If no audiences are provided, the audience will + default to the audience of the Kubernetes apiserver (kubernetes.default.svc). + items: + type: string + type: array + namespace: + description: Namespace where it is deployed. If not provided, + the default is to use '-auth-provider' suffix on the ApplicationsNamespace + of the DSCI. + type: string + type: object controlPlane: description: ControlPlane holds configuration of Service Mesh used by Opendatahub. diff --git a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml index a61a6f34a8a..f8a3a0b84ac 100644 --- a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml +++ b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml @@ -318,6 +318,12 @@ spec: - tokenreviews verbs: - create + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - '*' - apiGroups: - authorization.k8s.io resources: @@ -538,6 +544,7 @@ spec: - get - list - patch + - update - watch - apiGroups: - "" @@ -1170,6 +1177,12 @@ spec: - deletecollection - get - patch + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - '*' - apiGroups: - networking.istio.io resources: @@ -1250,6 +1263,12 @@ spec: - patch - update - watch + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - '*' - apiGroups: - operator.knative.dev resources: @@ -1390,6 +1409,12 @@ spec: - patch - update - watch + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - '*' - apiGroups: - security.openshift.io resources: @@ -1752,7 +1777,7 @@ spec: env: - name: DISABLE_DSC_CONFIG value: "true" - image: REPLACE_IMAGE:latest + image: quay.io/edgarhz/odh-operator:latest imagePullPolicy: Always livenessProbe: httpGet: From 95163efd9f2c90134223274a7c7c5cd9f3608aef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 15 Feb 2024 18:09:03 -0600 Subject: [PATCH 26/28] Feedback: Wen - Better feature namings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- components/kserve/servicemesh_setup.go | 2 +- controllers/dscinitialization/servicemesh_setup.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/kserve/servicemesh_setup.go b/components/kserve/servicemesh_setup.go index d46716efd79..49da2c30d20 100644 --- a/components/kserve/servicemesh_setup.go +++ b/components/kserve/servicemesh_setup.go @@ -29,7 +29,7 @@ func (k *Kserve) removeServiceMeshConfigurations(dscispec *dsciv1.DSCInitializat func (k *Kserve) defineServiceMeshFeatures() feature.FeaturesProvider { return func(handler *feature.FeaturesHandler) error { - kserveExtAuthzErr := feature.CreateFeature("configure-kserve-for-external-authz"). + kserveExtAuthzErr := feature.CreateFeature("kserve-external-authz"). For(handler). Manifests( path.Join(feature.KServeDir), diff --git a/controllers/dscinitialization/servicemesh_setup.go b/controllers/dscinitialization/servicemesh_setup.go index 752d2987a5c..bfb57dcba8d 100644 --- a/controllers/dscinitialization/servicemesh_setup.go +++ b/controllers/dscinitialization/servicemesh_setup.go @@ -86,7 +86,7 @@ func configureServiceMeshFeatures() feature.FeaturesProvider { } } - cfgMapErr := feature.CreateFeature("shared-config-maps"). + cfgMapErr := feature.CreateFeature("mesh-shared-configmap"). For(handler). WithResources(servicemesh.ConfigMaps). Load() @@ -94,7 +94,7 @@ func configureServiceMeshFeatures() feature.FeaturesProvider { return cfgMapErr } - extAuthzErr := feature.CreateFeature("service-mesh-control-plane-setup-external-authorization"). + extAuthzErr := feature.CreateFeature("mesh-control-plane-external-authz"). For(handler). Manifests( path.Join(feature.AuthDir, "auth-smm.tmpl"), From bdeca2cff4d0a556642f3ef30b23b8eccff60284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Thu, 15 Feb 2024 18:47:08 -0600 Subject: [PATCH 27/28] Feedback: Bartosz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Use feature logger * Don't trim -applications suffix on ResolveAuthNamespace Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- pkg/feature/servicemesh/cleanup.go | 18 ++++++------------ pkg/feature/servicemesh/loaders.go | 2 +- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/pkg/feature/servicemesh/cleanup.go b/pkg/feature/servicemesh/cleanup.go index 867d989d659..7acc3885571 100644 --- a/pkg/feature/servicemesh/cleanup.go +++ b/pkg/feature/servicemesh/cleanup.go @@ -4,17 +4,14 @@ import ( "context" "fmt" - k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - ctrlLog "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/client" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" "github.com/opendatahub-io/opendatahub-operator/v2/pkg/gvr" ) -var log = ctrlLog.Log.WithName("features") - func RemoveExtensionProvider(f *feature.Feature) error { ossmAuthzProvider := fmt.Sprintf("%s-odh-auth-provider", f.Spec.AppNamespace) @@ -24,12 +21,9 @@ func RemoveExtensionProvider(f *feature.Feature) error { Namespace(mesh.Namespace). Get(context.TODO(), mesh.Name, metav1.GetOptions{}) if err != nil { - if k8serrors.IsNotFound(err) { - // Since the configuration of the extension provider is a patch, it could happen that - // the SMCP is already gone, and there will be nothing to unpatch. - return nil - } - return err + // Since the configuration of the extension provider is a patch, it could happen that + // the SMCP is already gone, and there will be nothing to unpatch. + return client.IgnoreNotFound(err) } extensionProviders, found, err := unstructured.NestedSlice(smcp.Object, "spec", "techPreview", "meshConfig", "extensionProviders") @@ -37,14 +31,14 @@ func RemoveExtensionProvider(f *feature.Feature) error { return err } if !found { - log.Info("no extension providers found", "feature", f.Name, "control-plane", mesh.Name, "namespace", mesh.Namespace) + f.Log.Info("no extension providers found", "feature", f.Name, "control-plane", mesh.Name, "namespace", mesh.Namespace) return nil } for i, v := range extensionProviders { extensionProvider, ok := v.(map[string]interface{}) if !ok { - log.Info("WARN: Unexpected type for extensionProvider will not be removed") + f.Log.Info("WARN: Unexpected type for extensionProvider will not be removed") continue } diff --git a/pkg/feature/servicemesh/loaders.go b/pkg/feature/servicemesh/loaders.go index e9252c6ec67..1a76d92439c 100644 --- a/pkg/feature/servicemesh/loaders.go +++ b/pkg/feature/servicemesh/loaders.go @@ -25,7 +25,7 @@ func ResolveAuthNamespace(f *feature.Feature) error { dsciAuthNamespace := strings.TrimSpace(f.Spec.Auth.Namespace) if len(dsciAuthNamespace) == 0 { - f.Spec.Auth.Namespace = strings.TrimSuffix(f.Spec.AppNamespace, "-applications") + "-auth-provider" + f.Spec.Auth.Namespace = f.Spec.AppNamespace + "-auth-provider" } return nil From e28da297d0769d8310917302f1f302e8915228d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Fri, 16 Feb 2024 09:44:18 -0600 Subject: [PATCH 28/28] Feedback: Wen - revert image placeholder was replaced MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- .../manifests/opendatahub-operator.clusterserviceversion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml index f8a3a0b84ac..3f866522f9f 100644 --- a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml +++ b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml @@ -1777,7 +1777,7 @@ spec: env: - name: DISABLE_DSC_CONFIG value: "true" - image: quay.io/edgarhz/odh-operator:latest + image: REPLACE_IMAGE:latest imagePullPolicy: Always livenessProbe: httpGet: