Authorino Reconciler

[jjaferson]

This PR is the starting point to enable the deployment of Authorino instances via the operator.

Ps.: missing unit testing

Verification steps

1. Clone the repo from this branch
2. Install the operator on a cluster of your choice
3. Run the operator eg: make install run
4. Create an instance of authorino using the CR, an example can be found here.
5. Check if the authorino instance was deployed correctly by verifying whether a deployment is created and a pod is up and running

[guicassolato]

Tested with the following script:

kind create cluster --name authorino

# operator
make docker-build OPERATOR_IMAGE=authorino-operator:local
kind load docker-image authorino-operator:local --name authorino
kubectl create namespace authorino-operator
make install deploy OPERATOR_IMAGE=authorino-operator:local

kubectl create namespace myapp

# upstream
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/talker-api/talker-api-deploy.yaml

# authorino (without tls)
kubectl -n myapp apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
  name: authorino
spec:
  replicas: 1
  clusterWide: false
  listener:
    tls:
      enabled: false
  oidcServer:
    tls:
      enabled: false
EOF

# envoy (without tls)
curl -L https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/overlays/notls/configmap.yaml | sed -E 's/authorino-authorization/authorino-authorino-authorization/g' | kubectl -n myapp apply -f -
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/base/envoy.yaml

# authconfig
kubectl -n myapp apply -f -<<EOF
apiVersion: authorino.3scale.net/v1beta1
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
    - talker-api
  identity:
    - name: friends
      apiKey:
        labelSelectors:
          group: friends
      credentials:
        in: authorization_header
        keySelector: APIKEY
EOF

# consume
kubectl -n myapp apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: friend-1-api-key-1
  labels:
    authorino.3scale.net/managed-by: authorino
    group: friends
stringData:
  api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
type: Opaque
EOF

kubectl -n myapp port-forward deployment/envoy 8000:8000 &
curl -H 'Host: talker-api' -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://localhost:8000/hello

# tls certs
CURRENT_DIR=$PWD; AUTHORINO_DIR=$(mktemp -d); cd $AUTHORINO_DIR
git clone --depth 1 --branch main https://github.com/kuadrant/authorino.git && cd authorino
make cert-manager
make certs AUTHORINO_NAMESPACE=myapp
rm -rf $AUTHORINO_DIR; cd $CURRENT_DIR

# authorino (with tls)
kubectl -n myapp apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
  name: authorino
spec:
  replicas: 1
  clusterWide: false
  listener:
    tls:
      certSecretRef:
        name: authorino-server-cert
  oidcServer:
    tls:
      certSecretRef:
        name: authorino-oidc-server-cert
EOF

# envoy (with tls)
curl -L https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/overlays/tls/configmap.yaml | sed -E 's/authorino-authorization/authorino-authorino-authorization/g' | kubectl -n myapp apply -f -
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/base/envoy.yaml
kubectl -n myapp patch deployment/envoy -p '{"spec":{"template":{"spec":{"volumes":[{"name":"authorino-ca-cert","secret":{"defaultMode":420,"secretName":"authorino-ca-cert"}}],"containers":[{"name":"envoy","volumeMounts":[{"name":"authorino-ca-cert","subPath":"ca.crt","mountPath":"/etc/ssl/certs/authorino-ca-cert.crt","readOnly":true}]}]}}}}'

# consume
curl -H 'Host: talker-api' -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://localhost:8000/hello

# cleanup
kind delete cluster --name authorino

Works perfectly! Congratz and thank you, @jjaferson!

[eguzki]

Good job 🎖️