From 551e0b4828d4fcd374042f67a5bb3045dc458dc4 Mon Sep 17 00:00:00 2001 From: shaynafinocchiaro Date: Thu, 11 Jul 2024 17:12:29 -0400 Subject: [PATCH] [charts/csm-authorization-v2.0] Move Authorization V2 to a new chart (#464) * move authorization v2 to separate helm chart * update v2 version in chart.yaml * add new line * remove storage secret --- charts/csm-authorization-v2.0/.gitignore | 2 + charts/csm-authorization-v2.0/.helmignore | 24 ++ charts/csm-authorization-v2.0/Chart.yaml | 18 ++ charts/csm-authorization-v2.0/README.md | 19 ++ .../charts/redis/.helmignore | 23 ++ .../charts/redis/Chart.yaml | 6 + .../charts/redis/templates/_helpers.tpl | 0 .../charts/redis/templates/redis-cm.yaml | 0 .../charts/redis/templates/redis-secret.yaml | 0 .../charts/redis/templates/redis.yaml | 188 +++++++++++++++ .../charts/redis/templates/sentinel.yaml | 0 .../charts/redis/values.yaml | 8 + ...thorization.storage.dell.com_csmroles.yaml | 0 ...orization.storage.dell.com_csmtenants.yaml | 0 ...thorization.storage.dell.com_storages.yaml | 0 .../policies/common.rego | 4 + .../policies/sdc-approve.rego | 40 ++++ .../policies/snapshot-create-test.rego | 0 .../policies/snapshot-create.rego | 0 .../policies/volumes-create-test.rego | 117 ++++++++++ .../policies/volumes-create.rego | 93 ++++++++ .../policies/volumes-delete.rego | 48 ++++ .../policies/volumes-map.rego | 42 ++++ .../policies/volumes-powermax-create.rego | 93 ++++++++ .../policies/volumes-unmap.rego | 42 ++++ .../templates/NOTES.txt | 14 ++ .../templates/_helpers.tpl | 9 + .../templates/authorization-controller.yaml | 0 .../templates/certificate.yaml | 64 ++++++ .../templates/csm-config-params.yaml | 14 ++ .../templates/ingress.yaml | 65 ++++++ .../templates/policies.yaml | 63 +++++ .../templates/proxy-server.yaml | 162 +++++++++++++ .../templates/role-service.yaml | 79 +++++++ .../templates/storage-service.yaml | 199 ++++++++++++++++ .../templates/tenant-service.yaml | 68 ++++++ charts/csm-authorization-v2.0/values.yaml | 76 +++++++ charts/csm-authorization/Chart.yaml | 16 +- .../csm-authorization/charts/redis/Chart.yaml | 4 +- .../charts/redis/templates/redis.yaml | 215 ++++++++---------- .../charts/redis/values.yaml | 9 - .../policies/sdc-approve.rego | 2 +- .../policies/volumes-create-test.rego | 4 +- .../policies/volumes-delete.rego | 2 +- .../templates/csm-config-params.yaml | 1 - .../csm-authorization/templates/ingress.yaml | 19 +- .../csm-authorization/templates/policies.yaml | 8 - .../templates/proxy-server.yaml | 56 +---- .../templates/storage-service.yaml | 133 +---------- .../templates/tenant-service.yaml | 23 +- charts/csm-authorization/values.yaml | 44 ++-- 51 files changed, 1723 insertions(+), 393 deletions(-) create mode 100644 charts/csm-authorization-v2.0/.gitignore create mode 100644 charts/csm-authorization-v2.0/.helmignore create mode 100644 charts/csm-authorization-v2.0/Chart.yaml create mode 100644 charts/csm-authorization-v2.0/README.md create mode 100644 charts/csm-authorization-v2.0/charts/redis/.helmignore create mode 100644 charts/csm-authorization-v2.0/charts/redis/Chart.yaml rename charts/{csm-authorization => csm-authorization-v2.0}/charts/redis/templates/_helpers.tpl (100%) rename charts/{csm-authorization => csm-authorization-v2.0}/charts/redis/templates/redis-cm.yaml (100%) rename charts/{csm-authorization => csm-authorization-v2.0}/charts/redis/templates/redis-secret.yaml (100%) create mode 100644 charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml rename charts/{csm-authorization => csm-authorization-v2.0}/charts/redis/templates/sentinel.yaml (100%) create mode 100644 charts/csm-authorization-v2.0/charts/redis/values.yaml rename charts/{csm-authorization => csm-authorization-v2.0}/crds/csm-authorization.storage.dell.com_csmroles.yaml (100%) rename charts/{csm-authorization => csm-authorization-v2.0}/crds/csm-authorization.storage.dell.com_csmtenants.yaml (100%) rename charts/{csm-authorization => csm-authorization-v2.0}/crds/csm-authorization.storage.dell.com_storages.yaml (100%) create mode 100644 charts/csm-authorization-v2.0/policies/common.rego create mode 100644 charts/csm-authorization-v2.0/policies/sdc-approve.rego rename charts/{csm-authorization => csm-authorization-v2.0}/policies/snapshot-create-test.rego (100%) rename charts/{csm-authorization => csm-authorization-v2.0}/policies/snapshot-create.rego (100%) create mode 100644 charts/csm-authorization-v2.0/policies/volumes-create-test.rego create mode 100644 charts/csm-authorization-v2.0/policies/volumes-create.rego create mode 100644 charts/csm-authorization-v2.0/policies/volumes-delete.rego create mode 100644 charts/csm-authorization-v2.0/policies/volumes-map.rego create mode 100644 charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego create mode 100644 charts/csm-authorization-v2.0/policies/volumes-unmap.rego create mode 100644 charts/csm-authorization-v2.0/templates/NOTES.txt create mode 100644 charts/csm-authorization-v2.0/templates/_helpers.tpl rename charts/{csm-authorization => csm-authorization-v2.0}/templates/authorization-controller.yaml (100%) create mode 100644 charts/csm-authorization-v2.0/templates/certificate.yaml create mode 100644 charts/csm-authorization-v2.0/templates/csm-config-params.yaml create mode 100644 charts/csm-authorization-v2.0/templates/ingress.yaml create mode 100644 charts/csm-authorization-v2.0/templates/policies.yaml create mode 100644 charts/csm-authorization-v2.0/templates/proxy-server.yaml create mode 100644 charts/csm-authorization-v2.0/templates/role-service.yaml create mode 100644 charts/csm-authorization-v2.0/templates/storage-service.yaml create mode 100644 charts/csm-authorization-v2.0/templates/tenant-service.yaml create mode 100644 charts/csm-authorization-v2.0/values.yaml diff --git a/charts/csm-authorization-v2.0/.gitignore b/charts/csm-authorization-v2.0/.gitignore new file mode 100644 index 00000000..a4d58c62 --- /dev/null +++ b/charts/csm-authorization-v2.0/.gitignore @@ -0,0 +1,2 @@ +Chart.lock +charts/*tgz diff --git a/charts/csm-authorization-v2.0/.helmignore b/charts/csm-authorization-v2.0/.helmignore new file mode 100644 index 00000000..9d56613f --- /dev/null +++ b/charts/csm-authorization-v2.0/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +installer/ diff --git a/charts/csm-authorization-v2.0/Chart.yaml b/charts/csm-authorization-v2.0/Chart.yaml new file mode 100644 index 00000000..6a63fe79 --- /dev/null +++ b/charts/csm-authorization-v2.0/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: csm-authorization +version: v2.0.0-alpha +appVersion: v2.0.0-alpha +type: application +description: | + CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes + storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability + to apply RBAC for Dell CSI Drivers. +dependencies: + - name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled + - name: ingress-nginx + version: 4.0.19 + repository: https://kubernetes.github.io/ingress-nginx + condition: nginx.enabled diff --git a/charts/csm-authorization-v2.0/README.md b/charts/csm-authorization-v2.0/README.md new file mode 100644 index 00000000..ced64c89 --- /dev/null +++ b/charts/csm-authorization-v2.0/README.md @@ -0,0 +1,19 @@ + + +# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart + +CSM for Authorization V2 can be deployed using Helm. + +For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). + +## Helm Chart Versioning + +For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). diff --git a/charts/csm-authorization-v2.0/charts/redis/.helmignore b/charts/csm-authorization-v2.0/charts/redis/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/csm-authorization-v2.0/charts/redis/Chart.yaml b/charts/csm-authorization-v2.0/charts/redis/Chart.yaml new file mode 100644 index 00000000..c9994417 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: redis-csm +description: Helm Chart for Redis with Sentinels +type: application +version: 0.1.0 +appVersion: 0.1.0 diff --git a/charts/csm-authorization/charts/redis/templates/_helpers.tpl b/charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl similarity index 100% rename from charts/csm-authorization/charts/redis/templates/_helpers.tpl rename to charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl diff --git a/charts/csm-authorization/charts/redis/templates/redis-cm.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml similarity index 100% rename from charts/csm-authorization/charts/redis/templates/redis-cm.yaml rename to charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml diff --git a/charts/csm-authorization/charts/redis/templates/redis-secret.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml similarity index 100% rename from charts/csm-authorization/charts/redis/templates/redis-secret.yaml rename to charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml diff --git a/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml new file mode 100644 index 00000000..e3685570 --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml @@ -0,0 +1,188 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.name }} + namespace: {{ include "custom.namespace" . }} +spec: + type: + clusterIP: None + selector: + app: {{ .Values.redis.name }} + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 + name: {{ .Values.redis.name }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.redis.name }} + namespace: {{ include "custom.namespace" . }} +spec: + serviceName: {{ .Values.redis.name }} + replicas: {{ .Values.redis.replicas }} + selector: + matchLabels: + app: {{ .Values.redis.name }} + template: + metadata: + labels: + app: {{ .Values.redis.name }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + spec: + initContainers: + - name: config + image: {{ .Values.redis.images.redis }} + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + + command: [ "sh", "-c" ] + args: + - | + cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf + echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf + echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf + + echo "Finding master..." + MASTER_FDQN=`hostname -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'` + echo "Master at " $MASTER_FQDN + if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then + echo "No sentinel found..." + if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then + echo "This is Redis master, not updating redis.conf..." + else + echo "This is Redis replica, updating redis.conf..." + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + else + echo "Sentinel found, finding master..." + MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" + echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf + fi + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + containers: + - name: {{ .Values.redis.name }} + image: {{ .Values.redis.images.redis }} + command: ["redis-server"] + args: ["/etc/redis/redis.conf"] + ports: + - containerPort: 6379 + name: {{ .Values.redis.name }} + volumeMounts: + - name: redis-primary-volume + mountPath: /data + - name: configmap + mountPath: /csm-auth-redis-cm/ + - name: config + mountPath: /etc/redis/ + volumes: + - name: redis-primary-volume + emptyDir: {} + - name: config + emptyDir: {} + - name: configmap + configMap: + name: redis-csm-cm +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.redis.rediscommander }} + namespace: {{ include "custom.namespace" . }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.redis.rediscommander }} + template: + metadata: + labels: + app: {{ .Values.redis.rediscommander }} + tier: backend + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + spec: + containers: + - name: {{ .Values.redis.rediscommander }} + image: {{ .Values.redis.images.commander }} + imagePullPolicy: IfNotPresent + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: SENTINELS + value: {{ $str | quote }} + - name: K8S_SIGTERM + value: "1" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + - name: HTTP_USER + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: commander_user + ports: + - name: {{ .Values.redis.rediscommander }} + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.redis.rediscommander }} + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: {{ .Values.redis.rediscommander }} + ports: + - protocol: TCP + port: 8081 + targetPort: 8081 diff --git a/charts/csm-authorization/charts/redis/templates/sentinel.yaml b/charts/csm-authorization-v2.0/charts/redis/templates/sentinel.yaml similarity index 100% rename from charts/csm-authorization/charts/redis/templates/sentinel.yaml rename to charts/csm-authorization-v2.0/charts/redis/templates/sentinel.yaml diff --git a/charts/csm-authorization-v2.0/charts/redis/values.yaml b/charts/csm-authorization-v2.0/charts/redis/values.yaml new file mode 100644 index 00000000..7abd23da --- /dev/null +++ b/charts/csm-authorization-v2.0/charts/redis/values.yaml @@ -0,0 +1,8 @@ +redis: + name: redis-csm + sentinel: sentinel + rediscommander: rediscommander + replicas: 5 + images: + redis: amaas-eos-mw1.cec.lab.emc.com:5046/redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest diff --git a/charts/csm-authorization/crds/csm-authorization.storage.dell.com_csmroles.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml similarity index 100% rename from charts/csm-authorization/crds/csm-authorization.storage.dell.com_csmroles.yaml rename to charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml diff --git a/charts/csm-authorization/crds/csm-authorization.storage.dell.com_csmtenants.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml similarity index 100% rename from charts/csm-authorization/crds/csm-authorization.storage.dell.com_csmtenants.yaml rename to charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml diff --git a/charts/csm-authorization/crds/csm-authorization.storage.dell.com_storages.yaml b/charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml similarity index 100% rename from charts/csm-authorization/crds/csm-authorization.storage.dell.com_storages.yaml rename to charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml diff --git a/charts/csm-authorization-v2.0/policies/common.rego b/charts/csm-authorization-v2.0/policies/common.rego new file mode 100644 index 00000000..99709c9a --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/common.rego @@ -0,0 +1,4 @@ +package karavi.common +default roles = {} +roles = {} + diff --git a/charts/csm-authorization-v2.0/policies/sdc-approve.rego b/charts/csm-authorization-v2.0/policies/sdc-approve.rego new file mode 100644 index 00000000..a0d2b53e --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/sdc-approve.rego @@ -0,0 +1,40 @@ +# Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.sdc.approve + +import data.karavi.common + +# Allow requests by default. +default allow = true + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization/policies/snapshot-create-test.rego b/charts/csm-authorization-v2.0/policies/snapshot-create-test.rego similarity index 100% rename from charts/csm-authorization/policies/snapshot-create-test.rego rename to charts/csm-authorization-v2.0/policies/snapshot-create-test.rego diff --git a/charts/csm-authorization/policies/snapshot-create.rego b/charts/csm-authorization-v2.0/policies/snapshot-create.rego similarity index 100% rename from charts/csm-authorization/policies/snapshot-create.rego rename to charts/csm-authorization-v2.0/policies/snapshot-create.rego diff --git a/charts/csm-authorization-v2.0/policies/volumes-create-test.rego b/charts/csm-authorization-v2.0/policies/volumes-create-test.rego new file mode 100644 index 00000000..619e5a8d --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-create-test.rego @@ -0,0 +1,117 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +roles = { + "us-east-1": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": "44000000" + } + } + } + } + } + }, + "us-west-1": { + "system_types": { + "powerflex": { + "system_ids": { + "1111": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-small": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-large": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 838860800, + "silver": 93886080000 + } + } + } + } + } + } + } + +test_small_request_allowed { + allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-east-1", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"8388608", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "systemtype": "powerflex" + } with data.karavi.common.roles as roles +} + +test_large_request_not_allowed { + not allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-west-2-small,us-west-2-large", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"9999999999", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "storagetype": "powerflex" + } with data.karavi.common.roles as roles +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-create.rego b/charts/csm-authorization-v2.0/policies/volumes-create.rego new file mode 100644 index 00000000..8015b82f --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-create.rego @@ -0,0 +1,93 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-delete.rego b/charts/csm-authorization-v2.0/policies/volumes-delete.rego new file mode 100644 index 00000000..2ee0938c --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-delete.rego @@ -0,0 +1,48 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.delete + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +# +# Ensure there are roles configured. +# +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +# +# Validate input: claims. +# +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-map.rego b/charts/csm-authorization-v2.0/policies/volumes-map.rego new file mode 100644 index 00000000..15fb172e --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-map.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.map + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego b/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego new file mode 100644 index 00000000..0046f48b --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego @@ -0,0 +1,93 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.powermax.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization-v2.0/policies/volumes-unmap.rego b/charts/csm-authorization-v2.0/policies/volumes-unmap.rego new file mode 100644 index 00000000..f4a85f1f --- /dev/null +++ b/charts/csm-authorization-v2.0/policies/volumes-unmap.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.unmap + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization-v2.0/templates/NOTES.txt b/charts/csm-authorization-v2.0/templates/NOTES.txt new file mode 100644 index 00000000..a006c075 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/NOTES.txt @@ -0,0 +1,14 @@ +The CSM Authorization deployment has been successfully installed. + +Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: + +export NODE_PORT=$(kubectl get --namespace {{ include "custom.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ include "custom.namespace" . }}-ingress-nginx-controller) +export NODE_IP=$(kubectl get nodes --namespace {{ include "custom.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") +echo https://$NODE_IP:$NODE_PORT + +LoadBalancer host rules for proxy-server: +- {{ .Values.authorization.hostname }} +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local + +authorization.proxyHost value for a CSI Driver examples: +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) diff --git a/charts/csm-authorization-v2.0/templates/_helpers.tpl b/charts/csm-authorization-v2.0/templates/_helpers.tpl new file mode 100644 index 00000000..918bda1e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} diff --git a/charts/csm-authorization/templates/authorization-controller.yaml b/charts/csm-authorization-v2.0/templates/authorization-controller.yaml similarity index 100% rename from charts/csm-authorization/templates/authorization-controller.yaml rename to charts/csm-authorization-v2.0/templates/authorization-controller.yaml diff --git a/charts/csm-authorization-v2.0/templates/certificate.yaml b/charts/csm-authorization-v2.0/templates/certificate.yaml new file mode 100644 index 00000000..70a5ec36 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/certificate.yaml @@ -0,0 +1,64 @@ +# If the cert and key are provided, use them to create a tls secret +{{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} +{{- $certificateFileContents := .Values.authorization.certificate }} +{{- $privateKeyFileContents := .Values.authorization.privateKey }} +apiVersion: v1 +data: + tls.crt: {{ $certificateFileContents | b64enc }} + tls.key: {{ $privateKeyFileContents | b64enc }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: {{ include "custom.namespace" . }} + +--- +{{- end }} + + +# If the cert and key are not provided, user cert-manager to create a self-signed tls secret +{{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + selfSigned: {} + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: karavi-auth + namespace: {{ include "custom.namespace" . }} +spec: + secretName: karavi-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - karavi-auth + - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local + - {{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/charts/csm-authorization-v2.0/templates/csm-config-params.yaml b/charts/csm-authorization-v2.0/templates/csm-config-params.yaml new file mode 100644 index 00000000..6f81c046 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/csm-config-params.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: {{ include "custom.namespace" . }} +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} + LOG_LEVEL: {{ .Values.authorization.logLevel }} + STORAGE_CAPACITY_POLL_INTERVAL: {{ .Values.authorization.storageCapacityPollInterval }} + {{- if (.Values.authorization.zipkin.collectoruri) }} + zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} + zipkin.probability: {{ .Values.authorization.zipkin.probability }} + {{- end }} diff --git a/charts/csm-authorization-v2.0/templates/ingress.yaml b/charts/csm-authorization-v2.0/templates/ingress.yaml new file mode 100644 index 00000000..c7ad8b67 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/ingress.yaml @@ -0,0 +1,65 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + annotations: + {{- if eq .Values.openshift true }} + route.openshift.io/termination: "edge" + {{- end }} + {{- if .Values.authorization.proxyServerIngress.annotations }} + {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if eq .Values.nginx.enabled true }} + ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} + {{- end }} + tls: + - hosts: + - {{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end }} + rules: + - host: {{ .Values.authorization.hostname }} + http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix + {{- end }} + {{- end }} + - http: + paths: + - backend: + service: + name: proxy-server + port: + number: 8080 + path: / + pathType: Prefix diff --git a/charts/csm-authorization-v2.0/templates/policies.yaml b/charts/csm-authorization-v2.0/templates/policies.yaml new file mode 100644 index 00000000..02c9e52b --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/policies.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: common + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-delete + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-map + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powermax-volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-unmap + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sdc-approve + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snapshot-create + namespace: {{ .Release.Namespace }} +data: + {{- (.Files.Glob "policies/snapshot-create.rego").AsConfig | nindent 2 }} diff --git a/charts/csm-authorization-v2.0/templates/proxy-server.yaml b/charts/csm-authorization-v2.0/templates/proxy-server.yaml new file mode 100644 index 00000000..a447240e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/proxy-server.yaml @@ -0,0 +1,162 @@ +# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt +# list configmaps to be loaded into OPA as policies. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: opa-viewer +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +# Define role for OPA/kube-mgmt to update configmaps with policy status. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +--- +# Grant OPA/kube-mgmt role defined above. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: opa-configmap-modifier +roleRef: + kind: Role + name: configmap-modifier + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants"] + verbs: ["get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: proxy-server +subjects: + - kind: ServiceAccount + name: proxy-server + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: proxy-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + labels: + app: proxy-server +spec: + replicas: 1 + selector: + matchLabels: + app: proxy-server + template: + metadata: + labels: + app: proxy-server + spec: + serviceAccount: proxy-server + containers: + + - name: proxy-server + image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa }} + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt }} + imagePullPolicy: IfNotPresent + args: + - "--policies={{ include "custom.namespace" . }}" + - "--enable-data" + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: proxy-server + ports: + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/charts/csm-authorization-v2.0/templates/role-service.yaml b/charts/csm-authorization-v2.0/templates/role-service.yaml new file mode 100644 index 00000000..1774b2c8 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/role-service.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +subjects: + - kind: ServiceAccount + name: role-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: role-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} + labels: + app: role-service +spec: + replicas: 1 + selector: + matchLabels: + app: role-service + template: + metadata: + labels: + app: role-service + spec: + serviceAccountName: role-service + containers: + - name: role-service + image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService }} + imagePullPolicy: Always + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: role-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization-v2.0/templates/storage-service.yaml b/charts/csm-authorization-v2.0/templates/storage-service.yaml new file mode 100644 index 00000000..6db19c2e --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/storage-service.yaml @@ -0,0 +1,199 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +rules: + - apiGroups: [""] + resources: ["secrets", "events"] + verbs: ["get", "patch","post", create] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages", "csmtenants", "csmroles"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +subjects: + - kind: ServiceAccount + name: storage-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: storage-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: storage-service-tokenreview-binding + namespace: {{ include "custom.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: storage-service + namespace: {{ include "custom.namespace" . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} + labels: + app: storage-service +spec: + replicas: 1 + selector: + matchLabels: + app: storage-service + template: + metadata: + labels: + app: storage-service + spec: + serviceAccountName: storage-service + containers: + - name: storage-service + image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--vault-address={{ .Values.vault.address }}" + - "--vault-kv-engine-path={{ .Values.vault.kvEnginePath }}" + - "--vault-role={{ .Values.vault.role }}" + - "--vault-skip-certificate-validation={{ .Values.vault.skipCertificateValidation }}" + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + - "--leader-election=true" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: vault-client-certificate + mountPath: /etc/vault + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params + - name: vault-client-certificate + projected: + sources: + {{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} + - secret: + name: vault-client-certificate + {{- else }} + - secret: + name: storage-service-selfsigned-tls + {{- end }} + {{- if .Values.vault.certificateAuthority }} + - secret: + name: vault-certificate-authority + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: storage-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc +--- +{{- if .Values.vault.certificateAuthority }} +{{- $certificateFileContents := .Values.vault.certificateAuthority }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: vault-certificate-authority + namespace: {{ include "custom.namespace" . }} +data: + ca.crt: {{ $certificateFileContents | b64enc }} +{{- end }} +--- +{{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} +{{- $certificateFileContents := .Values.vault.clientCertificate }} +{{- $keyFileContents := .Values.vault.clientKey }} +apiVersion: v1 +data: + tls.crt: {{ $certificateFileContents | b64enc }} + tls.key: {{ $keyFileContents | b64enc }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: vault-client-certificate + namespace: {{ include "custom.namespace" . }} +{{- else }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: storage-service-selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: storage-service-selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + secretName: storage-service-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + dnsNames: + - csm-authorization-storage-service + issuerRef: + name: storage-service-selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/charts/csm-authorization-v2.0/templates/tenant-service.yaml b/charts/csm-authorization-v2.0/templates/tenant-service.yaml new file mode 100644 index 00000000..a73fbb64 --- /dev/null +++ b/charts/csm-authorization-v2.0/templates/tenant-service.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} + labels: + app: tenant-service +spec: + replicas: 1 + selector: + matchLabels: + app: tenant-service + template: + metadata: + labels: + app: tenant-service + spec: + containers: + - name: tenant-service + image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} + imagePullPolicy: Always + env: + {{- $str := "" -}} + {{- $ns := include "custom.namespace" . -}} + {{- $replicas := .Values.redis.replicas | int }} + {{- $sentinel := .Values.redis.sentinel }} + {{- range $i, $e := until $replicas }} + {{- if $i }} + {{- $str = print $str "," -}} + {{- end }} + {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-csm-secret + key: password + args: + - "--redis-sentinel={{ $str }}" + - "--redis-password=$(REDIS_PASSWORD)" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: tenant-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization-v2.0/values.yaml b/charts/csm-authorization-v2.0/values.yaml new file mode 100644 index 00000000..06015f9b --- /dev/null +++ b/charts/csm-authorization-v2.0/values.yaml @@ -0,0 +1,76 @@ +--- +# set to true if installing on an OpenShift Container Platform +# if enabled, the OpenShift Ingress Operator will be used +# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section +openshift: false + +# set to true if installing on a Kubernetes Container Platform +# if enabled, NGINX Ingress Controller will be deployed +# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section +nginx: + enabled: true + +# if enabled, cert-manager will be deployed +# if cert-manager is already deployed, keep this false +cert-manager: + enabled: true + +authorization: + # images to use in installation + images: + proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha + tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha + roleService: dellemc/csm-authorization-role:v2.0.0-alpha + storageService: dellemc/csm-authorization-storage:v2.0.0-alpha + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # proxy-server ingress will use this hostname + # NOTE: additional hostnames can be configured in authorization.proxyServerIngress.hosts + # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required + hostname: csm-authorization.com + + # log level for csm-authorization + logLevel: debug + + # number, as a string, of concurrent requests for the storage-service to make to PowerFlex + # currently only used with dellctl to list tenant volumes + concurrentPowerFlexRequests: "10" + + # tracing configuration + # this can be updated on the fly via the csm-config-params configMap + zipkin: + {} + # collectoruri: http://DNS-hostname:9411/api/v2/spans + # probability: 1 + + # proxy-server ingress configuration + proxyServerIngress: + ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: + [] + # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + # storage capacity poll interval + storageCapacityPollInterval: 5m + +redis: + name: redis-csm + sentinel: sentinel + rediscommander: rediscommander + replicas: 5 + images: + redis: redis:7.2.4-alpine + commander: rediscommander/redis-commander:latest + +vault: + address: https://10.0.0.1:8400 + kvEnginePath: secret + role: csm-authorization + skipCertificateValidation: true diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml index 0b838590..a767ac9c 100644 --- a/charts/csm-authorization/Chart.yaml +++ b/charts/csm-authorization/Chart.yaml @@ -8,11 +8,11 @@ description: | storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. dependencies: -- name: cert-manager - version: 1.10.0 - repository: https://charts.jetstack.io - condition: cert-manager.enabled -- name: ingress-nginx - version: 4.0.19 - repository: https://kubernetes.github.io/ingress-nginx - condition: nginx.enabled + - name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled + - name: ingress-nginx + version: 4.0.19 + repository: https://kubernetes.github.io/ingress-nginx + condition: ingress-nginx.enabled diff --git a/charts/csm-authorization/charts/redis/Chart.yaml b/charts/csm-authorization/charts/redis/Chart.yaml index c9994417..30b032ee 100644 --- a/charts/csm-authorization/charts/redis/Chart.yaml +++ b/charts/csm-authorization/charts/redis/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: redis-csm -description: Helm Chart for Redis with Sentinels +name: redis +description: A Helm chart for Redis type: application version: 0.1.0 appVersion: 0.1.0 diff --git a/charts/csm-authorization/charts/redis/templates/redis.yaml b/charts/csm-authorization/charts/redis/templates/redis.yaml index e3685570..ce901eb4 100644 --- a/charts/csm-authorization/charts/redis/templates/redis.yaml +++ b/charts/csm-authorization/charts/redis/templates/redis.yaml @@ -1,160 +1,114 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.redis.name }} - namespace: {{ include "custom.namespace" . }} -spec: - type: - clusterIP: None - selector: - app: {{ .Values.redis.name }} - ports: - - protocol: TCP - port: 6379 - targetPort: 6379 - name: {{ .Values.redis.name }} ---- apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: - name: {{ .Values.redis.name }} + name: redis-primary namespace: {{ include "custom.namespace" . }} + labels: + app: redis spec: - serviceName: {{ .Values.redis.name }} - replicas: {{ .Values.redis.replicas }} selector: matchLabels: - app: {{ .Values.redis.name }} + app: redis + role: primary + tier: backend + replicas: 1 template: metadata: labels: - app: {{ .Values.redis.name }} - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} + app: redis + role: primary + tier: backend spec: - initContainers: - - name: config - image: {{ .Values.redis.images.redis }} - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - - command: [ "sh", "-c" ] - args: - - | - cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf - echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf - echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf - - echo "Finding master..." - MASTER_FDQN=`hostname -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'` - echo "Master at " $MASTER_FQDN - if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then - echo "No sentinel found..." - if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then - echo "This is Redis master, not updating redis.conf..." - else - echo "This is Redis replica, updating redis.conf..." - echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf - fi - else - echo "Sentinel found, finding master..." - MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" - echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf - fi - volumeMounts: - - name: redis-primary-volume - mountPath: /data - - name: configmap - mountPath: /csm-auth-redis-cm/ - - name: config - mountPath: /etc/redis/ containers: - - name: {{ .Values.redis.name }} - image: {{ .Values.redis.images.redis }} - command: ["redis-server"] - args: ["/etc/redis/redis.conf"] + - name: primary + image: {{ .Values.images.redis }} + imagePullPolicy: IfNotPresent + args: ["--appendonly", "yes", "--appendfsync", "always"] + resources: + requests: + cpu: 100m + memory: 100Mi ports: - containerPort: 6379 - name: {{ .Values.redis.name }} volumeMounts: - - name: redis-primary-volume - mountPath: /data - - name: configmap - mountPath: /csm-auth-redis-cm/ - - name: config - mountPath: /etc/redis/ + - name: redis-primary-volume + mountPath: /data volumes: - - name: redis-primary-volume - emptyDir: {} - - name: config - emptyDir: {} - - name: configmap - configMap: - name: redis-csm-cm + - name: redis-primary-volume + persistentVolumeClaim: + claimName: redis-primary-pv-claim +--- +{{- if not (.Values.storageClass) }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: csm-authorization-local-storage +provisioner: kubernetes.io/no-provisioner +volumeBindingMode: WaitForFirstConsumer + +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: csm-authorization-redis +spec: + capacity: + storage: 8Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Recycle + storageClassName: csm-authorization-local-storage + hostPath: + path: /csm-authorization/redis +{{- end}} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: redis-primary-pv-claim + namespace: {{ include "custom.namespace" . }} + labels: + app: redis-primary +spec: + accessModes: + - ReadWriteOnce + {{- if (.Values.storageClass) }} + storageClassName: {{.Values.storageClass }} + {{ else }} + storageClassName: csm-authorization-local-storage + {{- end}} + resources: + requests: + storage: 8Gi --- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Values.redis.rediscommander }} + name: redis-commander namespace: {{ include "custom.namespace" . }} spec: replicas: 1 selector: matchLabels: - app: {{ .Values.redis.rediscommander }} + app: redis-commander template: metadata: labels: - app: {{ .Values.redis.rediscommander }} + app: redis-commander tier: backend - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} spec: containers: - - name: {{ .Values.redis.rediscommander }} - image: {{ .Values.redis.images.commander }} + - name: redis-commander + image: {{ .Values.images.commander }} imagePullPolicy: IfNotPresent env: - {{- $str := "" -}} - {{- $ns := include "custom.namespace" . -}} - {{- $replicas := .Values.redis.replicas | int }} - {{- $sentinel := .Values.redis.sentinel }} - {{- range $i, $e := until $replicas }} - {{- if $i }} - {{- $str = print $str "," -}} - {{- end }} - {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} - {{- end }} - - name: SENTINELS - value: {{ $str | quote }} + - name: REDIS_HOSTS + value: "rbac:redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" - name: K8S_SIGTERM value: "1" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - - name: SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - - name: HTTP_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - - name: HTTP_USER - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: commander_user ports: - - name: {{ .Values.redis.rediscommander }} + - name: redis-commander containerPort: 8081 livenessProbe: httpGet: @@ -177,11 +131,24 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.redis.rediscommander }} + name: redis + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: redis + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-commander namespace: {{ include "custom.namespace" . }} spec: selector: - app: {{ .Values.redis.rediscommander }} + app: redis-commander ports: - protocol: TCP port: 8081 diff --git a/charts/csm-authorization/charts/redis/values.yaml b/charts/csm-authorization/charts/redis/values.yaml index f331e952..e69de29b 100644 --- a/charts/csm-authorization/charts/redis/values.yaml +++ b/charts/csm-authorization/charts/redis/values.yaml @@ -1,9 +0,0 @@ -redis: - name: redis-csm - sentinel: sentinel - rediscommander: rediscommander - replicas: 5 - images: - redis: redis:7.2.4-alpine - commander: rediscommander/redis-commander:latest - diff --git a/charts/csm-authorization/policies/sdc-approve.rego b/charts/csm-authorization/policies/sdc-approve.rego index 2a816056..a0d2b53e 100644 --- a/charts/csm-authorization/policies/sdc-approve.rego +++ b/charts/csm-authorization/policies/sdc-approve.rego @@ -37,4 +37,4 @@ claims = input.claims deny[msg] { claims == {} msg := sprintf("missing claims", []) -} \ No newline at end of file +} diff --git a/charts/csm-authorization/policies/volumes-create-test.rego b/charts/csm-authorization/policies/volumes-create-test.rego index 619e5a8d..33d5ad00 100644 --- a/charts/csm-authorization/policies/volumes-create-test.rego +++ b/charts/csm-authorization/policies/volumes-create-test.rego @@ -74,7 +74,7 @@ test_small_request_allowed { allow with input as { "claims": { "aud": "karavi", - "exp": 1615426023, + "exp": 1615426023, "group": "DevOpsGroup1", "iss":"com.dell.karavi", "roles":"us-east-1", @@ -97,7 +97,7 @@ test_large_request_not_allowed { not allow with input as { "claims": { "aud": "karavi", - "exp": 1615426023, + "exp": 1615426023, "group": "DevOpsGroup1", "iss":"com.dell.karavi", "roles":"us-west-2-small,us-west-2-large", diff --git a/charts/csm-authorization/policies/volumes-delete.rego b/charts/csm-authorization/policies/volumes-delete.rego index 2ee0938c..f8247891 100644 --- a/charts/csm-authorization/policies/volumes-delete.rego +++ b/charts/csm-authorization/policies/volumes-delete.rego @@ -42,7 +42,7 @@ deny[msg] { # default claims = {} claims = input.claims -deny[msg] { +deny[msg] { claims == {} msg := sprintf("missing claims", []) } diff --git a/charts/csm-authorization/templates/csm-config-params.yaml b/charts/csm-authorization/templates/csm-config-params.yaml index 6f81c046..19265cd1 100644 --- a/charts/csm-authorization/templates/csm-config-params.yaml +++ b/charts/csm-authorization/templates/csm-config-params.yaml @@ -7,7 +7,6 @@ data: csm-config-params.yaml: | CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} LOG_LEVEL: {{ .Values.authorization.logLevel }} - STORAGE_CAPACITY_POLL_INTERVAL: {{ .Values.authorization.storageCapacityPollInterval }} {{- if (.Values.authorization.zipkin.collectoruri) }} zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} zipkin.probability: {{ .Values.authorization.zipkin.probability }} diff --git a/charts/csm-authorization/templates/ingress.yaml b/charts/csm-authorization/templates/ingress.yaml index c7ad8b67..faf61e60 100644 --- a/charts/csm-authorization/templates/ingress.yaml +++ b/charts/csm-authorization/templates/ingress.yaml @@ -3,19 +3,14 @@ kind: Ingress metadata: name: proxy-server namespace: {{ include "custom.namespace" . }} + {{- if .Values.authorization.proxyServerIngress.annotations }} annotations: - {{- if eq .Values.openshift true }} - route.openshift.io/termination: "edge" - {{- end }} - {{- if .Values.authorization.proxyServerIngress.annotations }} {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} {{ $key }}: {{ tpl $value $ | quote }} {{- end }} {{- end }} spec: - {{- if eq .Values.nginx.enabled true }} ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} - {{- end }} tls: - hosts: - {{ .Values.authorization.hostname }} @@ -33,25 +28,25 @@ spec: - host: {{ .Values.authorization.hostname }} http: paths: - - backend: + - path: / + pathType: Prefix + backend: service: name: proxy-server port: number: 8080 - path: / - pathType: Prefix {{- if .Values.authorization.proxyServerIngress.hosts }} {{- range .Values.authorization.proxyServerIngress.hosts }} - host: {{ tpl . $}} http: paths: - - backend: + - path: / + pathType: Prefix + backend: service: name: proxy-server port: number: 8080 - path: / - pathType: Prefix {{- end }} {{- end }} - http: diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml index 02c9e52b..838f7965 100644 --- a/charts/csm-authorization/templates/policies.yaml +++ b/charts/csm-authorization/templates/policies.yaml @@ -53,11 +53,3 @@ metadata: namespace: {{ .Release.Namespace }} data: {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: snapshot-create - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/snapshot-create.rego").AsConfig | nindent 2 }} diff --git a/charts/csm-authorization/templates/proxy-server.yaml b/charts/csm-authorization/templates/proxy-server.yaml index 7a4404a9..ac2e6a2a 100644 --- a/charts/csm-authorization/templates/proxy-server.yaml +++ b/charts/csm-authorization/templates/proxy-server.yaml @@ -39,37 +39,6 @@ subjects: name: system:serviceaccounts:{{ include "custom.namespace" . }} apiGroup: rbac.authorization.k8s.io --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: proxy-server - namespace: {{ include "custom.namespace" . }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: proxy-server -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["watch"] - - apiGroups: ["csm-authorization.storage.dell.com"] - resources: ["storages", "csmtenants"] - verbs: ["get", "list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: proxy-server -subjects: - - kind: ServiceAccount - name: proxy-server - namespace: {{ include "custom.namespace" . }} -roleRef: - kind: ClusterRole - name: proxy-server - apiGroup: rbac.authorization.k8s.io ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -87,31 +56,12 @@ spec: labels: app: proxy-server spec: - serviceAccount: proxy-server containers: - - name: proxy-server - image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} + image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} imagePullPolicy: Always - env: - {{- $str := "" -}} - {{- $ns := include "custom.namespace" . -}} - {{- $replicas := .Values.redis.replicas | int }} - {{- $sentinel := .Values.redis.sentinel }} - {{- range $i, $e := until $replicas }} - {{- if $i }} - {{- $str = print $str "," -}} - {{- end }} - {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} - {{- end }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - args: - - "--redis-sentinel={{ $str }}" - - "--redis-password=$(REDIS_PASSWORD)" + args: + - "--redis-host=redis.{{ .Release.Namespace }}.svc.cluster.local:6379" - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" diff --git a/charts/csm-authorization/templates/storage-service.yaml b/charts/csm-authorization/templates/storage-service.yaml index 44b272fb..16672639 100644 --- a/charts/csm-authorization/templates/storage-service.yaml +++ b/charts/csm-authorization/templates/storage-service.yaml @@ -10,14 +10,8 @@ metadata: name: storage-service rules: - apiGroups: [""] - resources: ["secrets", "events"] - verbs: ["get", "patch","post", create] - - apiGroups: ["csm-authorization.storage.dell.com"] - resources: ["storages", "csmtenants", "csmroles"] - verbs: ["get", "list"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create", "update", "get", "list"] + resources: ["secrets"] + verbs: ["get", "patch","post"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -32,20 +26,6 @@ roleRef: name: storage-service apiGroup: rbac.authorization.k8s.io --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: storage-service-tokenreview-binding - namespace: {{ include "custom.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: storage-service - namespace: {{ include "custom.namespace" . }} ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -68,62 +48,29 @@ spec: - name: storage-service image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService }} imagePullPolicy: Always - env: - {{- $str := "" -}} - {{- $ns := include "custom.namespace" . -}} - {{- $replicas := .Values.redis.replicas | int }} - {{- $sentinel := .Values.redis.sentinel }} - {{- range $i, $e := until $replicas }} - {{- if $i }} - {{- $str = print $str "," -}} - {{- end }} - {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} - {{- end }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password - args: - - "--vault-address={{ .Values.vault.address }}" - - "--vault-kv-engine-path={{ .Values.vault.kvEnginePath }}" - - "--vault-role={{ .Values.vault.role }}" - - "--vault-skip-certificate-validation={{ .Values.vault.skipCertificateValidation }}" - - "--redis-sentinel={{ $str }}" - - "--redis-password=$(REDIS_PASSWORD)" - - "--leader-election=true" ports: - containerPort: 50051 name: grpc + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} volumeMounts: + - name: storage-volume + mountPath: /etc/karavi-authorization/storage - name: config-volume mountPath: /etc/karavi-authorization/config - name: csm-config-params mountPath: /etc/karavi-authorization/csm-config-params - - name: vault-client-certificate - mountPath: /etc/vault volumes: + - name: storage-volume + secret: + secretName: karavi-storage-secret - name: config-volume secret: secretName: karavi-config-secret - name: csm-config-params configMap: name: csm-config-params - - name: vault-client-certificate - projected: - sources: - {{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} - - secret: - name: vault-client-certificate - {{- else }} - - secret: - name: storage-service-selfsigned-tls - {{- end }} - {{- if .Values.vault.certificateAuthority }} - - secret: - name: vault-certificate-authority - {{- end }} - --- apiVersion: v1 kind: Service @@ -137,63 +84,3 @@ spec: - port: 50051 targetPort: 50051 name: grpc ---- -{{- if .Values.vault.certificateAuthority }} -{{- $certificateFileContents := .Values.vault.certificateAuthority }} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: vault-certificate-authority - namespace: {{ include "custom.namespace" . }} -data: - ca.crt: {{ $certificateFileContents | b64enc }} -{{- end }} ---- -{{- if and (.Values.vault.clientCertificate) (.Values.vault.clientKey) }} -{{- $certificateFileContents := .Values.vault.clientCertificate }} -{{- $keyFileContents := .Values.vault.clientKey }} -apiVersion: v1 -data: - tls.crt: {{ $certificateFileContents | b64enc }} - tls.key: {{ $keyFileContents | b64enc }} -kind: Secret -type: kubernetes.io/tls -metadata: - name: vault-client-certificate - namespace: {{ include "custom.namespace" . }} -{{- else }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: storage-service-selfsigned - namespace: {{ include "custom.namespace" . }} -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: storage-service-selfsigned - namespace: {{ include "custom.namespace" . }} -spec: - secretName: storage-service-selfsigned-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - client auth - dnsNames: - - csm-authorization-storage-service - issuerRef: - name: storage-service-selfsigned - kind: Issuer - group: cert-manager.io -{{- end }} \ No newline at end of file diff --git a/charts/csm-authorization/templates/tenant-service.yaml b/charts/csm-authorization/templates/tenant-service.yaml index a73fbb64..b54a7f13 100644 --- a/charts/csm-authorization/templates/tenant-service.yaml +++ b/charts/csm-authorization/templates/tenant-service.yaml @@ -17,27 +17,10 @@ spec: spec: containers: - name: tenant-service - image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} - imagePullPolicy: Always - env: - {{- $str := "" -}} - {{- $ns := include "custom.namespace" . -}} - {{- $replicas := .Values.redis.replicas | int }} - {{- $sentinel := .Values.redis.sentinel }} - {{- range $i, $e := until $replicas }} - {{- if $i }} - {{- $str = print $str "," -}} - {{- end }} - {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} - {{- end }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: redis-csm-secret - key: password + image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} + imagePullPolicy: Always args: - - "--redis-sentinel={{ $str }}" - - "--redis-password=$(REDIS_PASSWORD)" + - "--redis-host=redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" ports: - containerPort: 50051 name: grpc diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml index 36d04939..756519de 100644 --- a/charts/csm-authorization/values.yaml +++ b/charts/csm-authorization/values.yaml @@ -1,12 +1,7 @@ -# set to true if installing on an OpenShift Container Platform -# if enabled, the OpenShift Ingress Operator will be used +--- +# if enabled, nginx ingress controller will be deployed # if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section -openshift: false - -# set to true if installing on a Kubernetes Container Platform -# if enabled, NGINX Ingress Controller will be deployed -# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section -nginx: +ingress-nginx: enabled: true # if enabled, cert-manager will be deployed @@ -17,11 +12,10 @@ cert-manager: authorization: # images to use in installation images: - proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha - tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha - roleService: dellemc/csm-authorization-role:v2.0.0-alpha - storageService: dellemc/csm-authorization-storage:v2.0.0-alpha - authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha + proxyService: dellemc/csm-authorization-proxy:v1.11.0 + tenantService: dellemc/csm-authorization-tenant:v1.11.0 + roleService: dellemc/csm-authorization-role:v1.11.0 + storageService: dellemc/csm-authorization-storage:v1.11.0 opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 @@ -49,27 +43,19 @@ authorization: ingressClassName: nginx # additional host rules for the proxy-server ingress - hosts: [] - # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local + hosts: + [] + # - application-ingress-nginx-controller.namespace.svc.cluster.local # additional annotations for the proxy-server ingress annotations: {} - - # storage capacity poll interval - storageCapacityPollInterval: 5m redis: - name: redis-csm - sentinel: sentinel - rediscommander: rediscommander - replicas: 5 images: - redis: redis:7.2.4-alpine + redis: redis:6.0.8-alpine commander: rediscommander/redis-commander:latest - -vault: - address: https://10.0.0.1:8400 - kvEnginePath: secret - role: csm-authorization - skipCertificateValidation: true + # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis + # to use a different storage class for redis, uncomment the following line and specify the name of the storage class + # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver to be configured with this instance of CSM Authorization + # storageClass: