Authorino Operator¶
A Kubernetes Operator to manage Authorino instances.
Installation¶
The Operator can be installed by applying the manifests to the Kubernetes cluster or using Operator Lifecycle Manager (OLM)
Applying the manifests to the cluster¶
- Create the namespace for the Operator
- Install the Operator manifests
- Deploy the Operator
Tip: Deploy a custom image of the Operator
To deploy an image of the Operator other than the default
quay.io/kuadrant/authorino-operator:latest
, specify by setting the OPERATOR_IMAGE
parameter. E.g.:
Installing via OLM¶
To install the Operator using the Operator Lifecycle Manager, you need to make the
Operator CSVs available in the cluster by creating a CatalogSource
resource.
The bundle and catalog images of the Operator are available in Quay.io:
Bundle | quay.io/kuadrant/authorino-operator-bundle |
---|---|
Catalog | quay.io/kuadrant/authorino-operator-catalog |
- Create the namespace for the Operator
- Create the CatalogSource resource pointing to one of the images from in the Operator's catalog repo:
kubectl -n authorino-operator apply -f -<<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: operatorhubio-catalog
namespace: authorino-operator
spec:
sourceType: grpc
image: quay.io/kuadrant/authorino-operator-catalog:latest
displayName: Authorino Operator
EOF
Requesting an Authorino instance¶
Once the Operator is up and running, you can request instances of Authorino by creating Authorino
CRs. E.g.:
kubectl -n default apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
listener:
tls:
enabled: false
oidcServer:
tls:
enabled: false
EOF
The Authorino
Custom Resource Definition (CRD)¶
API to install, manage and configure Authorino authorization services .
Each Authorino
Custom Resource (CR) represents an instance of Authorino deployed to the cluster. The Authorino Operator will reconcile
the state of the Kubernetes Deployment and associated resources, based on the state of the CR.
API Specification¶
Field | Type | Description | Required/Default |
---|---|---|---|
spec | AuthorinoSpec | Specification of the Authorino deployment. | Required |
AuthorinoSpec¶
Field | Type | Description | Required/Default |
---|---|---|---|
clusterWide | Boolean | Sets the Authorino instance's watching scope – cluster-wide or namespaced. | Default: true (cluster-wide) |
authConfigLabelSelectors | String | Label selectors used by the Authorino instance to filter AuthConfig -related reconciliation events. |
Default: empty (all AuthConfigs are watched) |
secretLabelSelectors | String | Label selectors used by the Authorino instance to filter Secret -related reconciliation events (API key and mTLS authentication methods). |
Default: authorino.kuadrant.io/managed-by=authorino |
supersedingHostSubsets | Boolean | Enable/disable allowing AuthConfigs to supersede strict subsets of hosts already taken. | Default: false |
replicas | Integer | Number of replicas desired for the Authorino instance. Values greater than 1 enable leader election in the Authorino service, where the leader updates the statuses of the AuthConfig CRs). |
Default: 1 |
evaluatorCacheSize | Integer | Cache size (in megabytes) of each Authorino evaluator (when enabled in an AuthConfig ). |
Default: 1 |
image | String | Authorino image to be deployed (for dev/testing purpose only). | Default: quay.io/kuadrant/authorino:latest |
imagePullPolicy | String | Sets the imagePullPolicy of the Authorino Deployment (for dev/testing purpose only). | Default: k8s default |
logLevel | String | Defines the level of log you want to enable in Authorino (debug , info and error ). |
Default: info |
logMode | String | Defines the log mode in Authorino (development or production ). |
Default: production |
listener | Listener | Specification of the authorization service (gRPC interface). | Required |
oidcServer | OIDCServer | Specification of the OIDC service. | Required |
tracing | Tracing | Configuration of the OpenTelemetry tracing exporter. | Optional |
metrics | Metrics | Configuration of the metrics server (port, level). | Optional |
healthz | Healthz | Configuration of the health/readiness probe (port). | Optional |
volumes | VolumesSpec | Additional volumes to be mounted in the Authorino pods. | Optional |
Listener¶
Configuration of the authorization server – gRPC and raw HTTP interfaces
Field | Type | Description | Required/Default |
---|---|---|---|
port | Integer | Port number of authorization server (gRPC interface). | DEPRECATED Use ports instead |
ports | Ports | Port numbers of the authorization server (gRPC and raw HTTPinterfaces). | Optional |
tls | TLS | TLS configuration of the authorization server (GRPC and HTTP interfaces). | Required |
timeout | Integer | Timeout of external authorization request (in milliseconds), controlled internally by the authorization server. | Default: 0 (disabled) |
OIDCServer¶
Configuration of the OIDC Discovery server for Festival Wristband tokens.
Field | Type | Description | Required/Default |
---|---|---|---|
port | Integer | Port number of OIDC Discovery server for Festival Wristband tokens. | Default: 8083 |
tls | TLS | TLS configuration of the OIDC Discovery server for Festival Wristband tokens | Required |
TLS¶
TLS configuration of server. Appears in listener
and oidcServer
.
Field | Type | Description | Required/Default |
---|---|---|---|
enabled | Boolean | Whether TLS is enabled or disabled for the server. | Default: true |
certSecretRef | LocalObjectReference | The reference to the secret that contains the TLS certificates tls.crt and tls.key . |
Required when enabled: true |
Ports¶
Port numbers of the authorization server.
Field | Type | Description | Required/Default |
---|---|---|---|
grpc | Integer | Port number of the gRPC interface of the authorization server. Set to 0 to disable this interface. | Default: 50001 |
http | Integer | Port number of the raw HTTP interface of the authorization server. Set to 0 to disable this interface. | Default: 5001 |
Tracing¶
Configuration of the OpenTelemetry tracing exporter.
Field | Type | Description | Required/Default |
---|---|---|---|
endpoint | String | Full endpoint of the OpenTelemetry tracing collector service (e.g. http://jaeger:14268/api/traces). | Required |
tags | Map | Key-value map of fixed tags to add to all OpenTelemetry traces emitted by Authorino. | Optional |
insecure | Boolean | Enable/disable insecure connection to the tracing endpoint | Default: false |
Metrics¶
Configuration of the metrics server.
Field | Type | Description | Required/Default |
---|---|---|---|
port | Integer | Port number of the metrics server. | Default: 8080 |
deep | Boolean | Enable/disable metrics at the level of each evaluator config (if requested in the AuthConfig ) exported by the metrics server. |
Default: false |
Healthz¶
Configuration of the health/readiness probe (port).
Field | Type | Description | Required/Default |
---|---|---|---|
port | Integer | Port number of the health/readiness probe. | Default: 8081 |
VolumesSpec¶
Additional volumes to project in the Authorino pods. Useful for validation of TLS self-signed certificates of external services known to have to be contacted by Authorino at runtime.
Field | Type | Description | Required/Default |
---|---|---|---|
items | []VolumeSpec | List of additional volume items to project. | Optional |
defaultMode | Integer | Mode bits used to set permissions on the files. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. | Optional |
VolumeSpec¶
Field | Type | Description | Required/Default |
---|---|---|---|
name | String | Name of the volume and volume mount within the Deployment. It must be unique in the CR. | Optional |
mountPath | String | Absolute path where to mount all the items. | Required |
configMaps | []String | List of of Kubernetes ConfigMap names to mount. | Required exactly one of: confiMaps , secrets . |
secrets | []String | List of of Kubernetes Secret names to mount. | Required exactly one of: confiMaps , secrets . |
items | []KeyToPath | Mount details for selecting specific ConfigMap or Secret entries. | Optional |
Full example¶
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
clusterWide: true
authConfigLabelSelectors: environment=production
secretLabelSelectors: authorino.kuadrant.io/component=authorino,environment=production
replicas: 2
evaluatorCacheSize: 2 # mb
image: quay.io/kuadrant/authorino:latest
imagePullPolicy: Always
logLevel: debug
logMode: production
listener:
ports:
grpc: 50001
http: 5001
tls:
enabled: true
certSecretRef:
name: authorino-server-cert # secret must contain `tls.crt` and `tls.key` entries
oidcServer:
port: 8083
tls:
enabled: true
certSecretRef:
name: authorino-oidc-server-cert # secret must contain `tls.crt` and `tls.key` entries
metrics:
port: 8080
deep: true
volumes:
items:
- name: keycloak-tls-cert
mountPath: /etc/ssl/certs
configMaps:
- keycloak-tls-cert
items: # details to mount the k8s configmap in the authorino pods
- key: keycloak.crt
path: keycloak.crt
defaultMode: 420