Awesome
Authorino Operator
A Kubernetes Operator to manage Authorino instances.
Installation
The Operator can be installed by applying the manifests to the Kubernetes cluster or using Operator Lifecycle Manager (OLM)
Applying the manifests to the cluster
- Install the Operator manifests
make install
- Deploy the Operator
make deploy
make deploy OPERATOR_IMAGE=authorino-operator:local
Installing via OLM
To install the Operator using the Operator Lifecycle Manager, you need to make the
Operator CSVs available in the cluster by creating a CatalogSource resource.
The bundle and catalog images of the Operator are available in Quay.io:
<table> <tbody> <tr> <th>Bundle</th> <td><a href="https://quay.io/kuadrant/authorino-operator-bundle">quay.io/kuadrant/authorino-operator-bundle</a></td> </tr> <tr> <th>Catalog</th> <td><a href="https://quay.io/kuadrant/authorino-operator-catalog">quay.io/kuadrant/authorino-operator-catalog</a></td> </tr> </tbody> </table>- Create the namespace for the Operator
kubectl create namespace authorino-operator
- Create the CatalogSource resource pointing to one of the images from in the Operator's catalog repo:
kubectl -n authorino-operator apply -f -<<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: operatorhubio-catalog
namespace: authorino-operator
spec:
sourceType: grpc
image: quay.io/kuadrant/authorino-operator-catalog:latest
displayName: Authorino Operator
EOF
Deploy authorino operator using operator-sdk
- Install operator-sdk bin
make operator-sdk - Run operator-sdk bundle command
./bin/operator-sdk run bundle quay.io/kuadrant/authorino-operator-bundle:latest
Note: For s390x & ppc64le , use operator-sdk to install authorino-operator
Requesting an Authorino instance
Once the Operator is up and running, you can request instances of Authorino by creating Authorino CRs. E.g.:
kubectl -n default apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
listener:
tls:
enabled: false
oidcServer:
tls:
enabled: false
EOF
The Authorino Custom Resource Definition (CRD)
API to install, manage and configure Authorino authorization services .
Each Authorino
Custom Resource (CR) represents an instance of Authorino deployed to the cluster. The Authorino Operator will reconcile
the state of the Kubernetes Deployment and associated resources, based on the state of the CR.
API Specification
| Field | Type | Description | Required/Default |
|---|---|---|---|
| spec | AuthorinoSpec | Specification of the Authorino deployment. | Required |
AuthorinoSpec
| Field | Type | Description | Required/Default |
|---|---|---|---|
| clusterWide | Boolean | Sets the Authorino instance's watching scope – cluster-wide or namespaced. | Default: true (cluster-wide) |
| authConfigLabelSelectors | String | Label selectors used by the Authorino instance to filter AuthConfig-related reconciliation events. | Default: empty (all AuthConfigs are watched) |
| secretLabelSelectors | String | Label selectors used by the Authorino instance to filter Secret-related reconciliation events (API key and mTLS authentication methods). | Default: authorino.kuadrant.io/managed-by=authorino |
| supersedingHostSubsets | Boolean | Enable/disable allowing AuthConfigs to supersede strict subsets of hosts already taken. | Default: false |
| replicas | Integer | Number of replicas desired for the Authorino instance. Values greater than 1 enable leader election in the Authorino service, where the leader updates the statuses of the AuthConfig CRs). | Default: 1 |
| evaluatorCacheSize | Integer | Cache size (in megabytes) of each Authorino evaluator (when enabled in an AuthConfig). | Default: 1 |
| image | String | Authorino image to be deployed (for dev/testing purpose only). | Default: quay.io/kuadrant/authorino:latest |
| imagePullPolicy | String | Sets the imagePullPolicy of the Authorino Deployment (for dev/testing purpose only). | Default: k8s default |
| logLevel | String | Defines the level of log you want to enable in Authorino (debug, info and error). | Default: info |
| logMode | String | Defines the log mode in Authorino (development or production). | Default: production |
| listener | Listener | Specification of the authorization service (gRPC interface). | Required |
| oidcServer | OIDCServer | Specification of the OIDC service. | Required |
| tracing | Tracing | Configuration of the OpenTelemetry tracing exporter. | Optional |
| metrics | Metrics | Configuration of the metrics server (port, level). | Optional |
| healthz | Healthz | Configuration of the health/readiness probe (port). | Optional |
| volumes | VolumesSpec | Additional volumes to be mounted in the Authorino pods. | Optional |
Listener
Configuration of the authorization server – gRPC and raw HTTP interfaces
| Field | Type | Description | Required/Default |
|---|---|---|---|
| port | Integer | Port number of authorization server (gRPC interface). | DEPRECATED<br/>Use ports instead |
| ports | Ports | Port numbers of the authorization server (gRPC and raw HTTPinterfaces). | Optional |
| tls | TLS | TLS configuration of the authorization server (GRPC and HTTP interfaces). | Required |
| timeout | Integer | Timeout of external authorization request (in milliseconds), controlled internally by the authorization server. | Default: 0 (disabled) |
OIDCServer
Configuration of the OIDC Discovery server for Festival Wristband tokens.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| port | Integer | Port number of OIDC Discovery server for Festival Wristband tokens. | Default: 8083 |
| tls | TLS | TLS configuration of the OIDC Discovery server for Festival Wristband tokens | Required |
TLS
TLS configuration of server. Appears in listener and oidcServer.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| enabled | Boolean | Whether TLS is enabled or disabled for the server. | Default: true |
| certSecretRef | LocalObjectReference | The reference to the secret that contains the TLS certificates tls.crt and tls.key. | Required when enabled: true |
Ports
Port numbers of the authorization server.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| grpc | Integer | Port number of the gRPC interface of the authorization server. Set to 0 to disable this interface. | Default: 50001 |
| http | Integer | Port number of the raw HTTP interface of the authorization server. Set to 0 to disable this interface. | Default: 5001 |
Tracing
Configuration of the OpenTelemetry tracing exporter.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| endpoint | String | Full endpoint of the OpenTelemetry tracing collector service (e.g. http://jaeger:14268/api/traces). | Required |
| tags | Map | Key-value map of fixed tags to add to all OpenTelemetry traces emitted by Authorino. | Optional |
| insecure | Boolean | Enable/disable insecure connection to the tracing endpoint | Default: false |
Metrics
Configuration of the metrics server.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| port | Integer | Port number of the metrics server. | Default: 8080 |
| deep | Boolean | Enable/disable metrics at the level of each evaluator config (if requested in the AuthConfig) exported by the metrics server. | Default: false |
Healthz
Configuration of the health/readiness probe (port).
| Field | Type | Description | Required/Default |
|---|---|---|---|
| port | Integer | Port number of the health/readiness probe. | Default: 8081 |
VolumesSpec
Additional volumes to project in the Authorino pods. Useful for validation of TLS self-signed certificates of external services known to have to be contacted by Authorino at runtime.
| Field | Type | Description | Required/Default |
|---|---|---|---|
| items | []VolumeSpec | List of additional volume items to project. | Optional |
| defaultMode | Integer | Mode bits used to set permissions on the files. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. | Optional |
VolumeSpec
| Field | Type | Description | Required/Default |
|---|---|---|---|
| name | String | Name of the volume and volume mount within the Deployment. It must be unique in the CR. | Optional |
| mountPath | String | Absolute path where to mount all the items. | Required |
| configMaps | []String | List of of Kubernetes ConfigMap names to mount. | Required exactly one of: confiMaps, secrets. |
| secrets | []String | List of of Kubernetes Secret names to mount. | Required exactly one of: confiMaps, secrets. |
| items | []KeyToPath | Mount details for selecting specific ConfigMap or Secret entries. | Optional |
Full example
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
clusterWide: true
authConfigLabelSelectors: environment=production
secretLabelSelectors: authorino.kuadrant.io/component=authorino,environment=production
replicas: 2
evaluatorCacheSize: 2 # mb
image: quay.io/kuadrant/authorino:latest
imagePullPolicy: Always
logLevel: debug
logMode: production
listener:
ports:
grpc: 50001
http: 5001
tls:
enabled: true
certSecretRef:
name: authorino-server-cert # secret must contain `tls.crt` and `tls.key` entries
oidcServer:
port: 8083
tls:
enabled: true
certSecretRef:
name: authorino-oidc-server-cert # secret must contain `tls.crt` and `tls.key` entries
metrics:
port: 8080
deep: true
volumes:
items:
- name: keycloak-tls-cert
mountPath: /etc/ssl/certs
configMaps:
- keycloak-tls-cert
items: # details to mount the k8s configmap in the authorino pods
- key: keycloak.crt
path: keycloak.crt
defaultMode: 420
Removal
Removing the operator installed via manifests
- Undeploy the Operator
make undeploy
- Remove the Operator manifests
make uninstall
Remove dependencies (Optional)
- Remove operator namespace
make delete-namespace
- Uninstall cert manager
make uninstall-cert-manager
License
