Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cleanup: updates after these messages #111

Merged
merged 28 commits into from
Oct 31, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .wordlist-sh
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ HighNodeUtilization
HOSTNAME
hou
httpd
ic
iid
ingresscontrollers
initalize
Expand Down Expand Up @@ -252,6 +253,7 @@ SCRIPTPATH
searchcustomizations
searchoperators
ServerAliveInterval
serverlessservices
servicemeshcontrolplanes
servingCertificate
servingCerts
Expand Down
2 changes: 1 addition & 1 deletion clusters/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Examples
# Examples

- Demos
- Workshops
13 changes: 8 additions & 5 deletions clusters/default/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../components/operators/web-terminal/operator/overlays/fast
- ../../components/operators/web-terminal/instance/overlays/enhanced
- ../../components/app-configs/ubi-images/overlays/cluster
- ../../components/cluster-configs/autoscale/overlays/default
# - ../../components/cluster-configs/etcd-backup/overlays/default
# - ../../components/cluster-configs/namespace-cleanup/overlays/sandbox
- ../../components/cluster-configs/console-config/overlays/default
- ../../components/cluster-configs/console-samples

# - ../../components/cluster-configs/etcd-backup/overlays/default
# - ../../components/cluster-configs/namespace-cleanup/overlays/sandbox

- ../../components/cluster-configs/namespaces/overlays/default
- ../../components/cluster-configs/rbac/overlays/no-self-provisioner
- ../../components/app-configs/ubi-images/overlays/cluster

- ../../components/operators/web-terminal/operator/overlays/fast
- ../../components/operators/web-terminal/instance/overlays/enhanced
2 changes: 1 addition & 1 deletion components/cluster-configs/autoscale/base/job.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@

. /scripts/ocp.sh

ocp_create_machineset_autoscale "${MACHINE_MIN}" "${MACHINE_MAX}"
ocp_machineset_create_autoscale "${MACHINE_MIN}" "${MACHINE_MAX}"
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ configMapGenerator:
- job.sh
# - ../../../../../../scripts/library/ocp.sh
# kludge: refer to source
- https://raw.githubusercontent.com/redhat-na-ssa/demo-ai-gitops-catalog/main/scripts/library/ocp.sh
- https://raw.githubusercontent.com/redhat-na-ssa/demo-ai-gitops-catalog/v0.08/scripts/library/ocp.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ patches:
patch: |-
- op: replace
path: /spec/text
value: 'This cluster was deployed via the AI GitOps catalog'
value: 'This cluster was configured via the AI GitOps catalog'
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: ConsoleLink
metadata:
name: sandbox-dashboard
spec:
href: '/k8s'
href: 'https://link-goes-here.com'
location: NamespaceDashboard
# This text will appear in a box called "Launcher" under "namespace" or "project" in the web console
text: Custom Link Text
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
236 changes: 235 additions & 1 deletion components/operators/authorino-operator/INFO.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,237 @@
# authorino-operator

The operator to manage instances of Authorino
[Authorino](https://docs.kuadrant.io/authorino/) is Red Hat's Kubernetes-native lightweight external authorization service for tailor-made Zero Trust API security.

Install this Red Hat official distribution of [Authorino Operator](https://docs.kuadrant.io/authorino-operator/) to manage instances of Authorino in this cluster.

The current state of this distribution of the operator is: **_Technical Preview_**.

The Community version of Authorino Operator, based on upstream public images, is available in [OperatorHub.io](https://operatorhub.io/operator/authorino-operator).

## Getting started

After installing the Operator, request an instance of the external authorization service by creating an `Authorino` custom resource.

**Minimal example (namespaced)**

```yaml
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
listener:
tls:
enabled: false
oidcServer:
tls:
enabled: false
```

**Extended example**

```yaml
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
clusterWide: true
authConfigLabelSelectors: environment=production
secretLabelSelectors: authorino.kuadrant.io/component=authorino,environment=production

replicas: 2

evaluatorCacheSize: 2 # mb

logLevel: info
logMode: production

listener:
ports:
grpc: 50001
http: 5001
tls:
certSecretRef:
name: authorino-server-cert # secret must contain `tls.crt` and `tls.key` entries
timeout: 2

oidcServer:
port: 8083
tls:
certSecretRef:
name: authorino-oidc-server-cert # secret must contain `tls.crt` and `tls.key` entries

metrics:
port: 8080
deep: true

healthz:
port: 8081

tracing:
endpoint: rpc://otel-collector.observability.svc.cluster.local:4317
insecure: true

volumes:
items:
- name: keycloak-tls-cert
mountPath: /etc/ssl/certs
configMaps:
- keycloak-tls-cert
items: # details to mount the k8s configmap in the authorino pods
- key: keycloak.crt
path: keycloak.crt
defaultMode: 420
```

### Cluster-wide vs Namespaced

Namespaced instances only watch auth resources (`AuthConfig` and `Secrets`) created in the same namespace as the Authorino service. Use this mode for dedicated instances that do not require elevated privileges.

Cluster-wide instances watch resources across the entire cluster (all namespaces.) Deploying and running Authorino in this mode requires elevated privileges.

### Multi-tenancy

Use the `authConfigLabelSelectors` field of the `Authorino` custom resource to narrow the scope of the Authorino instance.

Only `AuthConfig` custom resources whose labels match the value of this field will be handled by the Authorino instance.

## Protect a host

To protect a host, create an `AuthConfig` custom resource for the host. E.g.:

```yaml
apiVersion: authorino.kuadrant.io/v1beta2
kind: AuthConfig
metadata:
name: my-api-protection
spec:
hosts:
- my-api.io

authentication:
"keycloak":
jwt:
issuerUrl: https://keycloak.keycloak.svc.cluster.local:8080/realms/my-realm

authorization:
"k8s-rbac":
kubernetesSubjectAccessReview:
user:
selector: auth.identity.user.username
resourceAttributes:
resource:
value: my-api
verb:
selector: request.method
cache:
key:
selector: auth.identity.user.username
ttl: 30
"after-2am-only":
rego: |
allow {
[hour, _, _] := time.clock(time.now_ns())
hour >= 2
}
```

Make sure all requests to the host are fisrt checked with the Authorino instance, by configuring an Envoy proxy for external authz:

```yaml
clusters:
- name: my-api
- name: authorino
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: authorino
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: authorino-authorino-authorization
port_value: 50051
listeners:
- filter_chains:
- filters:
name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
use_remote_address: true
route_config:
name: my-api-config
virtual_hosts:
- name: my-api-vs
domains:
- my-api.io
routes:
- match:
prefix: /
route:
cluster: my-api
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
failure_mode_allow: false
include_peer_certificate: true
grpc_service:
envoy_grpc:
cluster_name: authorino
timeout: 1s
```

...or, if using Istio, by creating an [`AuthorizationPolicy`](https://istio.io/latest/docs/reference/config/security/authorization-policy/#AuthorizationPolicy) custom resource. Use `action: CUSTOM` in the resource and the Authorino authorization service configured in the mesh extension provider settings.

## Features

**Authentication**

* JWT validation (with OpenID Connect Discovery)
* OAuth 2.0 Token Introspection (opaque tokens)
* Kubernetes TokenReview (ServiceAccount tokens)
* API key authentication
* X.509 client certificate authentication
* Anonymous access
* Proxy-handled (authentication performed by the proxy)

**Authorization**

* Built-in simple pattern matching (e.g. JWT claims, request attributes checking)
* OPA policies (inline Rego and fetch from external registry)
* Kubernetes SubjectAccessReview (resource and non-resource attributes)
* Authzed SpiceDB

**External metadata**

* HTTP request
* OpenID Connect User Info
* UMA-protected resource attributes

**Custom responses**

* Header injection (Festival Wristbands tokens, JSON, plain text)
* Envoy Dynamic Metadata
* Custom HTTP response (status code, headers, messages, body, etc)

**Callbacks**

* HTTP webhooks

**Caching**

* OpenID Connect and User-Managed Access configs
* JSON Web Keys (JWKs) and JSON Web Key Sets (JWKS)
* Access tokens
* External metadata
* Precompiled Rego policies
* Policy evaluation

Check out the full [Feature Specification](https://docs.kuadrant.io/authorino/docs/features/) and how-to guides in the [Kuadrant Docs](https://docs.kuadrant.io) website.
14 changes: 7 additions & 7 deletions components/operators/authorino-operator/README.md
Original file line number Diff line number Diff line change
@@ -1,30 +1,30 @@
# Red Hat - Authorino
# Authorino Operator

Install Red Hat - Authorino.
Install Authorino Operator.

Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use.

The current *overlays* available are for the following channels:

* [managed-services](operator/overlays/managed-services)
* [tech-preview-v1](operator/overlays/tech-preview-v1)

## Usage

If you have cloned the `gitops-catalog` repository, you can install Red Hat - Authorino based on the overlay of your choice by running from the root (`gitops-catalog`) directory.
If you have cloned the `gitops-catalog` repository, you can install Authorino Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory.

```
```sh
oc apply -k authorino-operator/operator/overlays/<channel>
```

Or, without cloning:

```
```sh
oc apply -k https://github.com/redhat-cop/gitops-catalog/authorino-operator/operator/overlays/<channel>
```

As part of a different overlay in your own GitOps repo:

```
```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
- op: replace
path: /spec/channel
value: managed-services
value: tech-preview-v1
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
INSTANCE_TYPE=${INSTANCE_TYPE:-g4dn.4xlarge}

ocp_aws_cluster || exit 0
ocp_aws_create_gpu_machineset "${INSTANCE_TYPE}"
ocp_create_machineset_autoscale
# ocp_aws_taint_gpu_machineset
ocp_aws_machineset_create_gpu "${INSTANCE_TYPE}"
ocp_machineset_create_autoscale
ocp_aws_machineset_fix_storage
# ocp_machineset_taint_gpu
Loading
Loading