Merge branch 'main' into handle-export-chg

cam-garrison · Aug 27, 2024 · 0883774 · 0883774
2 parents 006ede1 + 9faba49
commit 0883774
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 18 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,6 +5,12 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - '*'
 - apiGroups:
   - authorino.kuadrant.io
   resources:

diff --git a/controllers/authzctrl/controller_test.go b/controllers/authzctrl/controller_test.go
@@ -138,6 +138,8 @@ var _ = Describe("Checking Authorization Resource Creation", test.EnvTest(), fun
 			}
 
 			Expect(createdAuthPolicy.Spec.GetAction()).To(Equal(v1beta1.AuthorizationPolicy_CUSTOM))
+			// WorkloadSelector expresssion defined in suite_test
+			Expect(createdAuthPolicy.Spec.GetSelector().GetMatchLabels()).To(HaveKeyWithValue("component", resourceName))
 
 			return nil
 		}, test.DefaultTimeout, test.DefaultPolling).Should(Succeed())

diff --git a/controllers/authzctrl/reconcile_authpolicy.go b/controllers/authzctrl/reconcile_authpolicy.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"reflect"
 
+	"github.com/opendatahub-io/odh-platform/pkg/config"
 	"github.com/opendatahub-io/odh-platform/pkg/metadata"
 	"github.com/opendatahub-io/odh-platform/pkg/metadata/labels"
 	"istio.io/api/security/v1beta1"
@@ -19,35 +20,36 @@ import (
 )
 
 func (r *Controller) reconcileAuthPolicy(ctx context.Context, target *unstructured.Unstructured) error {
-	desired := createAuthzPolicy(r.authComponent.Ports, r.authComponent.WorkloadSelector, r.config.ProviderName, target)
+	resolvedSelectors, errResolve := config.ResolveSelectors(r.authComponent.WorkloadSelector, target)
+	if errResolve != nil {
+		return fmt.Errorf("could not resolve WorkloadSelectors err: %w", errResolve)
+	}
+
+	desired := createAuthzPolicy(r.authComponent.Ports, resolvedSelectors, r.config.ProviderName, target)
 	found := &istiosecurityv1beta1.AuthorizationPolicy{}
 	justCreated := false
 
-	err := r.Get(ctx, types.NamespacedName{
+	typeName := types.NamespacedName{
 		Name:      desired.Name,
-		Namespace: desired.Namespace,
-	}, found)
-	if err != nil {
-		if k8serr.IsNotFound(err) {
+		Namespace: desired.Namespace}
+	if errGet := r.Get(ctx, typeName, found); errGet != nil {
+		if k8serr.IsNotFound(errGet) {
 			errCreate := r.Create(ctx, desired)
 			if client.IgnoreAlreadyExists(errCreate) != nil {
 				return fmt.Errorf("unable to create AuthorizationPolicy: %w", errCreate)
 			}
 
 			justCreated = true
 		} else {
-			return fmt.Errorf("unable to fetch AuthorizationPolicy: %w", err)
+			return fmt.Errorf("unable to fetch AuthorizationPolicy: %w", errGet)
 		}
 	}
 
 	// Reconcile the Istio AuthorizationPolicy if it has been manually modified
 	if !justCreated && !CompareAuthPolicies(desired, found) {
-		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-			if err := r.Get(ctx, types.NamespacedName{
-				Name:      desired.Name,
-				Namespace: desired.Namespace,
-			}, found); err != nil {
-				return fmt.Errorf("failed getting AuthorizationPolicy %s in namespace %s: %w", desired.Name, desired.Namespace, err)
+		if errConflict := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			if errGet := r.Get(ctx, typeName, found); errGet != nil {
+				return fmt.Errorf("failed getting AuthorizationPolicy %s in namespace %s: %w", desired.Name, desired.Namespace, errGet)
 			}
 
 			found.Spec = *desired.Spec.DeepCopy()
@@ -58,8 +60,8 @@ func (r *Controller) reconcileAuthPolicy(ctx context.Context, target *unstructur
 			}
 
 			return nil
-		}); err != nil {
-			return fmt.Errorf("unable to reconcile the AuthorizationPolicy: %w", err)
+		}); errConflict != nil {
+			return fmt.Errorf("unable to reconcile the AuthorizationPolicy: %w", errConflict)
 		}
 	}
 

diff --git a/controllers/authzctrl/suite_test.go b/controllers/authzctrl/suite_test.go
@@ -43,9 +43,11 @@ var _ = SynchronizedBeforeSuite(func(ctx context.Context) {
 						},
 						Resources: "components",
 					},
-					WorkloadSelector: map[string]string{},
-					Ports:            []string{},
-					HostPaths:        []string{"spec.host"},
+					WorkloadSelector: map[string]string{
+						"component": "{{.metadata.name}}",
+					},
+					Ports:     []string{},
+					HostPaths: []string{"spec.host"},
 				},
 			},
 			authzctrl.PlatformAuthorizationConfig{

diff --git a/controllers/routingctrl/controller.go b/controllers/routingctrl/controller.go
@@ -53,6 +53,7 @@ type Controller struct {
 // +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=*
 // +kubebuilder:rbac:groups="networking.istio.io",resources=gateways,verbs=*
 // +kubebuilder:rbac:groups="networking.istio.io",resources=destinationrules,verbs=*
+// +kubebuilder:rbac:groups="",resources=services,verbs=*
 
 // Reconcile ensures that the component has all required resources needed to use routing capability of the platform.
 func (r *Controller) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

diff --git a/pkg/platform/types.go b/pkg/platform/types.go
@@ -31,6 +31,10 @@ type ProtectedResource struct {
 	ObjectReference `json:"ref,omitempty"`
 	// WorkloadSelector defines labels used to identify and select the specific workload
 	// to which the authorization policy should be applied.
+	// All provided label selectors must be present on the Service to find a match.
+	//
+	// go expressions are handled in the selector key and value to set dynamic values from the current ObjectReference;
+	// e.g. "routing.opendatahub.io/{{.kind}}": "{{.metadata.name}}", // > "routing.opendatahub.io/Service": "MyService"
 	WorkloadSelector map[string]string `json:"workloadSelector,omitempty"`
 	// HostPaths defines paths in custom resource where hosts for this component are defined.
 	HostPaths []string `json:"hostPaths,omitempty"` // TODO(mvp): should we switch to annotations like in routing?