lint: diff fixes

Makefile

@@ -164,7 +164,7 @@ $(LOCALBIN)/goimports:
 	$(call header,"Installing $(notdir $@)")
 	GOBIN=$(LOCALBIN) go install -mod=readonly golang.org/x/tools/cmd/goimports
 
-LINT_VERSION=v1.53.3
+LINT_VERSION=v1.57.2
 $(LOCALBIN)/golangci-lint:
 	$(call header,"Installing $(notdir $@)")
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(LOCALBIN) $(LINT_VERSION)

config/default/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - ../manager
 
 # Adds namespace to all resources.
-namespace: odh-platform
+namespace: opendatahub
 
 namePrefix: odh-platform-
 

config/manager/manager.yaml

@@ -15,6 +15,10 @@ spec:
       terminationGracePeriodSeconds: 10
       securityContext:
         runAsNonRoot: true
+      volumes:
+        - configMap:
+            name: platform-capabilities
+          name: auth-capabilities
       containers:
         - name: manager
           image: controller:latest
@@ -31,18 +35,8 @@ spec:
               containerPort: 8081
               protocol: TCP
           env:
-            - name: CONTROL_PLANE_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: service-mesh-refs
-                  key: CONTROL_PLANE_NAME
-                  optional: true
-            - name: MESH_NAMESPACE
-              valueFrom:
-                configMapKeyRef:
-                  name: service-mesh-refs
-                  key: MESH_NAMESPACE
-                  optional: true
+            - name: CONFIG_CAPABILITIES
+              value: /opt/config/capabilities
             - name: AUTHORINO_LABEL
               valueFrom:
                 configMapKeyRef:
@@ -61,6 +55,9 @@ spec:
                   name: auth-refs
                   key: AUTH_PROVIDER
                   optional: true
+          volumeMounts:
+            - mountPath: /opt/config/
+              name: auth-capabilities
           livenessProbe:
             httpGet:
               path: /healthz

config/rbac/role.yaml

@@ -5,10 +5,38 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - ""
+  - authorino.kuadrant.io
   resources:
-  - services
+  - authconfigs
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - authorizationpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - peerauthentications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
   - watch

controllers/authorization/authorization_controller.go

@@ -7,7 +7,7 @@ import (
 	authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2"
 	"github.com/opendatahub-io/odh-platform/controllers"
 	"github.com/opendatahub-io/odh-platform/pkg/env"
-	resources "github.com/opendatahub-io/odh-platform/pkg/resource"
+	"github.com/opendatahub-io/odh-platform/pkg/resource"
 	"github.com/opendatahub-io/odh-platform/pkg/spi"
 	"github.com/pkg/errors"
 	istiosecv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -20,14 +20,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func NewPlatformAuthorizationReconciler(client client.Client, log logr.Logger, authComponent spi.AuthorizationComponent) *PlatformAuthorizationReconciler {
+func NewPlatformAuthorizationReconciler(cli client.Client, log logr.Logger, authComponent spi.AuthorizationComponent) *PlatformAuthorizationReconciler {
 	return &PlatformAuthorizationReconciler{
-		Client:         client,
+		Client:         cli,
 		log:            log,
 		authComponent:  authComponent,
-		typeDetector:   resources.NewAnnotationAuthTypeDetector(controllers.AnnotationAuthEnabled),
-		hostExtractor:  resources.NewExpressionHostExtractor(authComponent.HostPaths),
-		templateLoader: resources.NewConfigMapTemplateLoader(client, resources.NewStaticTemplateLoader(env.GetAuthAudience())),
+		typeDetector:   resource.NewAnnotationAuthTypeDetector(controllers.AnnotationAuthEnabled),
+		hostExtractor:  resource.NewExpressionHostExtractor(authComponent.HostPaths),
+		templateLoader: resource.NewConfigMapTemplateLoader(cli, resource.NewStaticTemplateLoader(env.GetAuthAudience())),
 	}
 }
 
@@ -43,11 +43,12 @@ type PlatformAuthorizationReconciler struct {
 	templateLoader spi.AuthConfigTemplateLoader
 }
 
-// +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch
+// +kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.istio.io,resources=authorizationpolicies,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.istio.io,resources=peerauthentications,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile ensures that the namespace has all required resources needed to be part of the Service Mesh of Open Data Hub.
 func (r *PlatformAuthorizationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-
 	reconcilers := []reconcileAuthFunc{r.reconcileAuthConfig, r.reconcileAuthPolicy, r.reconcilePeerAuthentication}
 
 	sourceRes := &unstructured.Unstructured{}
@@ -63,9 +64,9 @@ func (r *PlatformAuthorizationReconciler) Reconcile(ctx context.Context, req ctr
 		return ctrl.Result{}, errors.Wrap(err, "failed getting service")
 	}
 
-	r.log.Info("Triggered TestReconcile", "namespace", req.Namespace, "name", req.Name)
-	var errs []error
+	r.log.Info("Triggered Auth Reconcile", "namespace", req.Namespace, "name", req.Name)
 
+	var errs []error
 	for _, reconciler := range reconcilers {
 		errs = append(errs, reconciler(ctx, sourceRes))
 	}
@@ -82,7 +83,7 @@ func (r *PlatformAuthorizationReconciler) SetupWithManager(mgr ctrl.Manager) err
 				Kind:       r.authComponent.CustomResourceType.Kind,
 			},
 		}, builder.OnlyMetadata).
-		// TODO: Add OwnerRef predicator on GVK
+		// TODO: Add OwnerRef predicator on GVK?
 		Owns(&authorinov1beta2.AuthConfig{}).
 		Owns(&istiosecv1beta1.AuthorizationPolicy{}).
 		Owns(&istiosecv1beta1.PeerAuthentication{}).
@@ -91,6 +92,7 @@ func (r *PlatformAuthorizationReconciler) SetupWithManager(mgr ctrl.Manager) err
 
 func targetToOwnerRef(obj *unstructured.Unstructured) metav1.OwnerReference {
 	controller := true
+
 	return metav1.OwnerReference{
 		APIVersion: obj.GetAPIVersion(),
 		Kind:       obj.GetKind(),

controllers/authorization/authorization_controller_test.go

@@ -1,18 +1,18 @@
 package authorization_test
 
 import (
-	"time"
-
 	. "github.com/onsi/ginkgo/v2"
 	//. "github.com/onsi/gomega"
-	//. "github.com/opendatahub-io/odh-platform/test/cluster"
+	//. "github.com/opendatahub-io/odh-platform/test/cluster".
 	"github.com/opendatahub-io/odh-platform/test/labels"
 )
 
+/*
 const (
 	timeout  = 10 * time.Second
 	interval = 250 * time.Millisecond
 )
+*/
 
 var _ = When("Service is created", Label(labels.EnvTest), func() {
 

controllers/authorization/authorization_reconcile_authconfig.go

@@ -2,7 +2,6 @@ package authorization
 
 import (
 	"context"
-	"encoding/json"
 	"reflect"
 
 	authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2"
@@ -11,20 +10,21 @@ import (
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/retry"
 )
 
 func (r *PlatformAuthorizationReconciler) reconcileAuthConfig(ctx context.Context, target *unstructured.Unstructured) error {
 	authType, err := r.typeDetector.Detect(ctx, target)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "could not detect authtype")
 	}
+
 	templ, err := r.templateLoader.Load(ctx, authType, types.NamespacedName{Namespace: target.GetNamespace(), Name: target.GetName()})
 	if err != nil {
-		return err
+		return errors.Wrap(err, "could not load template "+string(authType))
 	}
+
 	hosts := r.hostExtractor.Extract(target)
 
 	desired, err := createAuthConfig(templ, hosts, target)
@@ -54,7 +54,6 @@ func (r *PlatformAuthorizationReconciler) reconcileAuthConfig(ctx context.Contex
 
 	// Reconcile the Authorino AuthConfig if it has been manually modified
 	if !justCreated && !CompareAuthConfigs(desired, found) {
-
 		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 			if err := r.Get(ctx, types.NamespacedName{
 				Name:      desired.Name,
@@ -86,16 +85,16 @@ func createAuthConfig(templ authorinov1beta2.AuthConfig, hosts []string, target
 	if labels == nil {
 		labels = map[string]string{}
 	}
-	labels[authKey] = authVal
 
+	labels[authKey] = authVal
 	templ.Name = target.GetName()
 	templ.Namespace = target.GetNamespace()
 	templ.Labels = labels                   // TODO: Where to fetch lables from
 	templ.Annotations = map[string]string{} // TODO: where to fetch annotations from? part-of "service comp" or "platform?"
+	templ.Spec.Hosts = hosts
 	templ.OwnerReferences = []metav1.OwnerReference{
 		targetToOwnerRef(target),
 	}
-	templ.Spec.Hosts = hosts
 
 	return &templ, nil
 }
@@ -105,17 +104,3 @@ func CompareAuthConfigs(m1, m2 *authorinov1beta2.AuthConfig) bool {
 	return reflect.DeepEqual(m1.ObjectMeta.Labels, m2.ObjectMeta.Labels) &&
 		reflect.DeepEqual(m1.Spec, m2.Spec)
 }
-
-func toValue(val string) authorinov1beta2.ValueOrSelector {
-	r := runtime.RawExtension{}
-	rv, err := json.Marshal(val)
-	if err == nil {
-		r.Raw = rv
-	}
-	return authorinov1beta2.ValueOrSelector{Value: r}
-
-}
-
-func toSelector(val string) *authorinov1beta2.ValueOrSelector {
-	return &authorinov1beta2.ValueOrSelector{Selector: val}
-}

controllers/authorization/authorization_reconcile_authpolicy.go

@@ -40,7 +40,6 @@ func (r *PlatformAuthorizationReconciler) reconcileAuthPolicy(ctx context.Contex
 
 	// Reconcile the Istio AuthorizationPolicy if it has been manually modified
 	if !justCreated && !CompareAuthPolicies(desired, found) {
-
 		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 			if err := r.Get(ctx, types.NamespacedName{
 				Name:      desired.Name,
@@ -86,6 +85,7 @@ func createAuthorizationPolicy(ports []string, workloadSelector map[string]strin
 			},
 		},
 	}
+
 	for _, port := range ports {
 		rule := v1beta1.Rule{
 			To: []*v1beta1.Rule_To{
@@ -104,6 +104,7 @@ func createAuthorizationPolicy(ports []string, workloadSelector map[string]strin
 		}
 		policy.Spec.Rules = append(policy.Spec.Rules, &rule)
 	}
+
 	return policy
 }
 

controllers/authorization/authorization_reconcile_peerauthentication.go

@@ -78,6 +78,7 @@ func createPeerAuthentication(workloadSelector map[string]string, target *unstru
 			Mtls: &v1beta1.PeerAuthentication_MutualTLS{Mode: v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE},
 		},
 	}
+
 	return policy
 }
 

controllers/unit_test.go

@@ -2,7 +2,7 @@ package controllers_test
 
 import (
 	. "github.com/onsi/ginkgo/v2"
-	//. "github.com/onsi/gomega"
+	//. "github.com/onsi/gomega".
 	"github.com/opendatahub-io/odh-platform/test/labels"
 )
 

go.mod

@@ -17,7 +17,6 @@ require (
 
 // Testing deps
 require (
-	github.com/manifestival/manifestival v0.7.2
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.10
 )
@@ -33,7 +32,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect