Unified kuadrant - Add TLSPolicy and DNSPolicy (#416)

* Unified Kuadrant * Remove policy-controller * Add dns-operator dependency (v0.1.0) * Move DNSPolicy api and controller from MGC * Move TLSPolicy api and controller from MGC * Update TLSPolicy and DNSPolicy status condition logic to use Accepted instead of Ready * Update image build GH workflows * update TLSPolicy and DNSPolicy CRD printcolumns to match kuadrant polices * Update certmanager version to closer match the version of certmanager we are running v1.7.1 -> v1.12.1 * Add dnspolicy overview and reference docs * Add tlspolicy overview and reference docs --------- Co-authored-by: Sergio Franco Garcia <[email protected]>
Kuadrant · Feb 20, 2024 · 93d2265 · 93d2265
1 parent f982a02
commit 93d2265
Show file tree

Hide file tree

Showing 77 changed files with 8,260 additions and 982 deletions.
diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml
@@ -19,8 +19,8 @@ on:
         description: Limitador Operator bundle version
         default: latest
         type: string
-      policyControllerVersion:
-        description: Policy Controller version
+      dnsOperatorVersion:
+        description: DNS Operator bundle version
         default: latest
         type: string
       wasmShimVersion:
@@ -53,8 +53,8 @@ on:
         description: Limitador Operator bundle version
         default: latest
         type: string
-      policyControllerVersion:
-        description: Policy Controller version
+      dnsOperatorVersion:
+        description: DNS Operator bundle version
         default: latest
         type: string
       wasmShimVersion:
@@ -134,8 +134,8 @@ jobs:
             VERSION=${{ env.VERSION }} IMAGE_TAG=${{ inputs.kuadrantOperatorTag }} \
             AUTHORINO_OPERATOR_VERSION=${{ inputs.authorinoOperatorVersion }} \
             LIMITADOR_OPERATOR_VERSION=${{ inputs.limitadorOperatorVersion }} \
+            DNS_OPERATOR_VERSION=${{ inputs.dnsOperatorVersion }} \
             WASM_SHIM_VERSION=${{ inputs.wasmShimVersion }} \
-            POLICY_CONTROLLER_VERSION=${{ inputs.policyControllerVersion }} \
             REPLACES_VERSION=${{ inputs.replacesVersion }} \
             CHANNELS=${{ inputs.channels }}
       - name: Build Image
@@ -178,8 +178,8 @@ jobs:
             VERSION=${{ env.VERSION }} IMAGE_TAG=${{ inputs.kuadrantOperatorTag }} \
             AUTHORINO_OPERATOR_VERSION=${{ inputs.authorinoOperatorVersion }} \
             LIMITADOR_OPERATOR_VERSION=${{ inputs.limitadorOperatorVersion }} \
+            DNS_OPERATOR_VERSION=${{ inputs.dnsOperatorVersion }} \
             WASM_SHIM_VERSION=${{ inputs.wasmShimVersion }} \
-            POLICY_CONTROLLER_VERSION=${{ inputs.policyControllerVersion }} \
             REPLACES_VERSION=${{ inputs.replacesVersion }} \
             CHANNELS=${{ inputs.channels }}
       - name: Install qemu dependency

diff --git a/.github/workflows/build-images-nightly.yaml b/.github/workflows/build-images-nightly.yaml
@@ -23,5 +23,5 @@ jobs:
       kuadrantOperatorTag: ${{ needs.date.outputs.date }}
       authorinoOperatorVersion: ${{ vars.AUTHORINO_OPERATOR_SHA }}
       limitadorOperatorVersion: ${{ vars.LIMITADOR_OPERATOR_SHA }}
-      policyControllerVersion: ${{ vars.POLICY_CONTROLLER_SHA }}
+      dnsOperatorVersion: ${{ vars.DNS_OPERATOR_SHA }}
       wasmShimVersion: ${{ vars.WASM_SHIM_SHA }}
diff --git a/.github/workflows/update-stored-dependencies-version.yaml b/.github/workflows/update-stored-dependencies-version.yaml
@@ -24,7 +24,7 @@ jobs:
           - limitador
           - limitador-operator
           - wasm-shim
-          - policy-controller
+          - dns-operator
     steps:
       - name: Fetch dependencies images list
         id: fetch

diff --git a/Makefile b/Makefile
@@ -135,17 +135,25 @@ LIMITADOR_OPERATOR_GITREF = $(LIMITADOR_OPERATOR_BUNDLE_VERSION)
 endif
 LIMITADOR_OPERATOR_BUNDLE_IMG ?= quay.io/kuadrant/limitador-operator-bundle:$(LIMITADOR_OPERATOR_BUNDLE_IMG_TAG)
 
-## policy-controller
-POLICY_CONTROLLER_VERSION ?= latest
-policy_controller_is_semantic := $(call is_semantic_version,$(POLICY_CONTROLLER_VERSION))
-ifeq (latest,$(POLICY_CONTROLLER_VERSION))
-POLICY_CONTROLLER_VERSION = 0.0.0
-POLICY_CONTROLLER_GITREF = main
-else ifeq (true,$(policy_controller_is_semantic))
-POLICY_CONTROLLER_GITREF = v$(POLICY_CONTROLLER_VERSION)
+## dns
+#ToDo Pin this version once we have an initial release of the dns operator
+DNS_OPERATOR_VERSION ?= latest
+
+kuadrantdns_bundle_is_semantic := $(call is_semantic_version,$(DNS_OPERATOR_VERSION))
+ifeq (latest,$(DNS_OPERATOR_VERSION))
+DNS_OPERATOR_BUNDLE_VERSION = 0.0.0
+DNS_OPERATOR_BUNDLE_IMG_TAG = latest
+DNS_OPERATOR_GITREF = main
+else ifeq (true,$(kuadrantdns_bundle_is_semantic))
+DNS_OPERATOR_BUNDLE_VERSION = $(DNS_OPERATOR_VERSION)
+DNS_OPERATOR_BUNDLE_IMG_TAG = v$(DNS_OPERATOR_BUNDLE_VERSION)
+DNS_OPERATOR_GITREF = v$(DNS_OPERATOR_BUNDLE_VERSION)
 else
-POLICY_CONTROLLER_GITREF = $(POLICY_CONTROLLER_VERSION)
+DNS_OPERATOR_BUNDLE_VERSION = $(DNS_OPERATOR_VERSION)
+DNS_OPERATOR_BUNDLE_IMG_TAG = $(DNS_OPERATOR_BUNDLE_VERSION)
+DNS_OPERATOR_GITREF = $(DNS_OPERATOR_BUNDLE_VERSION)
 endif
+DNS_OPERATOR_BUNDLE_IMG ?= quay.io/kuadrant/dns-operator-bundle:$(DNS_OPERATOR_BUNDLE_IMG_TAG)
 
 ## wasm-shim
 WASM_SHIM_VERSION ?= latest
@@ -266,18 +274,17 @@ endef
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) crd paths="./api/v1beta1;./api/v1beta2" output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) crd paths="./api/v1alpha1;./api/v1beta1;./api/v1beta2" output:crd:artifacts:config=config/crd/bases
 	$(CONTROLLER_GEN) rbac:roleName=manager-role webhook paths="./..."
 
 .PHONY: dependencies-manifests
 dependencies-manifests: export AUTHORINO_OPERATOR_GITREF := $(AUTHORINO_OPERATOR_GITREF)
 dependencies-manifests: export LIMITADOR_OPERATOR_GITREF := $(LIMITADOR_OPERATOR_GITREF)
-dependencies-manifests: export POLICY_CONTROLLER_GITREF := $(POLICY_CONTROLLER_GITREF)
+dependencies-manifests: export DNS_OPERATOR_GITREF := $(DNS_OPERATOR_GITREF)
 dependencies-manifests: ## Update kuadrant dependencies manifests.
 	$(call patch-config,config/dependencies/authorino/kustomization.template.yaml,config/dependencies/authorino/kustomization.yaml)
 	$(call patch-config,config/dependencies/limitador/kustomization.template.yaml,config/dependencies/limitador/kustomization.yaml)
-	$(call patch-config,config/dependencies/policy-controller/kustomization.template.yaml,config/dependencies/policy-controller/kustomization.yaml)
-	$(call patch-config,config/dependencies/policy-controller/samples/kustomization.template.yaml,config/dependencies/policy-controller/samples/kustomization.yaml)
+	$(call patch-config,config/dependencies/dns/kustomization.template.yaml,config/dependencies/dns/kustomization.yaml)
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -417,13 +424,6 @@ deploy-dependencies: kustomize dependencies-manifests ## Deploy dependencies to
 	$(KUSTOMIZE) build config/dependencies | kubectl apply -f -
 	kubectl -n "$(KUADRANT_NAMESPACE)" wait --timeout=300s --for=condition=Available deployments --all
 
-deploy-policy-controller: kustomize ## Deploy policy-controller to the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/policy-controller | kubectl apply -f -
-	kubectl -n "$(KUADRANT_NAMESPACE)" wait --timeout=300s --for=condition=Available deployments policy-controller
-
-undeploy-policy-controller: ## Undeploy policy-controller from the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/policy-controller | kubectl delete -f -
-
 .PHONY: install-metallb
 install-metallb: kustomize yq ## Installs the metallb load balancer allowing use of an LoadBalancer type with a gateway
 	$(KUSTOMIZE) build config/metallb | kubectl apply -f -
@@ -483,6 +483,7 @@ bundle: $(OPM) $(YQ) manifests dependencies-manifests kustomize operator-sdk ##
 	# TODO(eguzki): run only if not default one. Avoid bundle parsing if version is known in advance
 	$(call update-operator-dependencies,limitador-operator,$(LIMITADOR_OPERATOR_BUNDLE_IMG))
 	$(call update-operator-dependencies,authorino-operator,$(AUTHORINO_OPERATOR_BUNDLE_IMG))
+	$(call update-operator-dependencies,dns-operator,$(DNS_OPERATOR_BUNDLE_IMG))
 	$(OPERATOR_SDK) bundle validate ./bundle
 	$(MAKE) bundle-ignore-createdAt
 

diff --git a/README.md b/README.md
@@ -38,15 +38,18 @@ to operate the cluster (Istio's) ingress gateway to provide API management with
 | [Limitador](https://github.com/Kuadrant/limitador)                   | The external rate limiting service. It exposes a gRPC service implementing the [Envoy Rate Limit protocol (v3)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto)                                                                                        |
 | [Authorino Operator](https://github.com/Kuadrant/authorino-operator) | A Kubernetes Operator to manage Authorino instances                                                                                                                                                                                                                                       |
 | [Limitador Operator](https://github.com/Kuadrant/limitador-operator) | A Kubernetes Operator to manage Limitador instances                                                                                                                                                                                                                                       |
+| [DNS Operator](https://github.com/Kuadrant/dns-operator)             | A Kubernetes Operator to manage DNS records in external providers                                                                                                                                                                                                                         |
 
 ### Provided APIs
 
 The kuadrant control plane owns the following [Custom Resource Definitions, CRDs](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/):
 
-| CRD                                                                                                 | Description                                                    | Example                                                                                                                                  |
-|-----------------------------------------------------------------------------------------------------|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
-| AuthPolicy CRD [\[doc\]](doc/auth.md) [[reference]](doc/reference/authpolicy.md)                    | Enable AuthN and AuthZ based access control on workloads       | [AuthPolicy CR](https://github.com/Kuadrant/kuadrant-operator/blob/main/examples/toystore/authpolicy.yaml)                               |
+| CRD                                                                                                 | Description                                                    | Example                                                                                                                                |
+|-----------------------------------------------------------------------------------------------------|----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| AuthPolicy CRD [\[doc\]](doc/auth.md) [[reference]](doc/reference/authpolicy.md)                    | Enable AuthN and AuthZ based access control on workloads       | [AuthPolicy CR](https://github.com/Kuadrant/kuadrant-operator/blob/main/examples/toystore/authpolicy.yaml)                             |
 | RateLimitPolicy CRD [\[doc\]](doc/rate-limiting.md) [[reference]](doc/reference/ratelimitpolicy.md) | Enable access control on workloads based on HTTP rate limiting | [RateLimitPolicy CR](https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/examples/toystore/ratelimitpolicy_httproute.yaml) |
+| DNSPolicy CRD [\[doc\]](doc/dns.md) [[reference]](doc/reference/dnspolicy.md)                       | Enable DNS management                                          | [DNSPolicy CR](config/samples/kuadrant_v1alpha1_dnspolicy.yaml)                |
+| TLSPolicy CRD [\[doc\]](doc/tls.md) [[reference]](doc/reference/tlspolicy.md)                       | Enable TLS management                                          | [TLSPolicy CR](config/samples/kuadrant_v1alpha1_tlspolicy.yaml)                |
 
 Additionally, Kuadrant provides the following CRDs
 
@@ -66,6 +69,8 @@ Additionally, Kuadrant provides the following CRDs
   [Istio getting started guide](https://istio.io/latest/docs/setup/getting-started/).
 * Kubernetes Gateway API is installed in the cluster. Otherwise,
   [configure Istio to expose a service using the Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/).
+* cert-manager is installed in the cluster. Otherwise, refer to the 
+  [cert-manager installation guide](https://cert-manager.io/docs/installation/).
 
 ### Installing Kuadrant