{"id":20410269,"url":"https://github.com/kuadrant/authorino-operator","last_synced_at":"2026-02-04T15:01:20.021Z","repository":{"id":37399133,"uuid":"415867175","full_name":"Kuadrant/authorino-operator","owner":"Kuadrant","description":"Kubernetes Operator to manage Authorino instances","archived":false,"fork":false,"pushed_at":"2025-04-10T15:34:17.000Z","size":982,"stargazers_count":10,"open_issues_count":13,"forks_count":22,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-10T16:52:59.253Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kuadrant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-10-11T09:51:47.000Z","updated_at":"2025-04-10T15:34:22.000Z","dependencies_parsed_at":"2023-10-11T10:49:30.427Z","dependency_job_id":"17136d65-b59f-49d2-886c-f2b0c18d3004","html_url":"https://github.com/Kuadrant/authorino-operator","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fauthorino-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fauthorino-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fauthorino-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fauthorino-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kuadrant","download_url":"https://codeload.github.com/Kuadrant/authorino-operator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248592218,"owners_count":21130207,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T05:45:17.158Z","updated_at":"2025-10-29T11:31:41.723Z","avatar_url":"https://github.com/Kuadrant.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authorino Operator\n\nA Kubernetes Operator to manage [Authorino](https://github.com/Kuadrant/authorino) instances.\n\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0)\n[![codecov](https://codecov.io/gh/Kuadrant/authorino-operator/branch/main/graph/badge.svg?token=3O9IUKS642)](https://codecov.io/gh/Kuadrant/authorino-operator)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator?ref=badge_shield)\n\n## Installation\n\nThe Operator can be installed by applying the manifests to the Kubernetes cluster or using [Operator Lifecycle Manager (OLM)](https://olm.operatorframework.io/)\n\n### Applying the manifests to the cluster\n\n1. Install the Operator manifests\n\n```sh\nmake install\n```\n\n2. Deploy the Operator\n\n```sh\nmake deploy\n```\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003ci\u003eTip:\u003c/i\u003e Deploy a custom image of the Operator\u003c/summary\u003e\n \u003cbr/\u003e\n To deploy an image of the Operator other than the default \u003ccode\u003equay.io/kuadrant/authorino-operator:latest\u003c/code\u003e, specify by setting the \u003ccode\u003eOPERATOR_IMAGE\u003c/code\u003e parameter. E.g.:\n\n ```sh\n make deploy OPERATOR_IMAGE=authorino-operator:local\n ```\n\u003c/details\u003e\n\n### Installing via OLM\n\nTo install the Operator using the [Operator Lifecycle Manager](https://olm.operatorframework.io/), you need to make the\nOperator CSVs available in the cluster by creating a `CatalogSource` resource.\n\nThe bundle and catalog images of the Operator are available in Quay.io:\n\n\u003ctable\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003cth\u003eBundle\u003c/th\u003e\n \u003ctd\u003e\u003ca href=\"https://quay.io/kuadrant/authorino-operator-bundle\"\u003equay.io/kuadrant/authorino-operator-bundle\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth\u003eCatalog\u003c/th\u003e\n \u003ctd\u003e\u003ca href=\"https://quay.io/kuadrant/authorino-operator-catalog\"\u003equay.io/kuadrant/authorino-operator-catalog\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\n1. Create the namespace for the Operator\n\n```sh\nkubectl create namespace authorino-operator\n```\n\n2. Create the [CatalogSource](https://olm.operatorframework.io/docs/concepts/crds/catalogsource) resource pointing to\n one of the images from in the Operator's catalog repo:\n\n```sh\nkubectl -n authorino-operator apply -f -\u003c\u003cEOF\napiVersion: operators.coreos.com/v1alpha1\nkind: CatalogSource\nmetadata:\n name: operatorhubio-catalog\n namespace: authorino-operator\nspec:\n sourceType: grpc\n image: quay.io/kuadrant/authorino-operator-catalog:latest\n displayName: Authorino Operator\nEOF\n```\n\n## Deploy authorino operator using operator-sdk\n1. Install operator-sdk bin\n ```sh\n make operator-sdk\n ```\n2. Run operator-sdk bundle command \n ```\n ./bin/operator-sdk run bundle quay.io/kuadrant/authorino-operator-bundle:latest\n ```\nNote: For s390x \u0026 ppc64le , use operator-sdk to install authorino-operator \n\n## Requesting an Authorino instance\n\nOnce the Operator is up and running, you can request instances of Authorino by creating `Authorino` CRs. E.g.:\n\n```sh\nkubectl -n default apply -f -\u003c\u003cEOF\napiVersion: operator.authorino.kuadrant.io/v1beta1\nkind: Authorino\nmetadata:\n name: authorino\nspec:\n listener:\n tls:\n enabled: false\n oidcServer:\n tls:\n enabled: false\nEOF\n```\n\n## The `Authorino` Custom Resource Definition (CRD)\n\nAPI to install, manage and configure Authorino authorization services .\n\nEach [`Authorino`](https://github.com/Kuadrant/authorino-operator/tree/main/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml)\nCustom Resource (CR) represents an instance of Authorino deployed to the cluster. The Authorino Operator will reconcile\nthe state of the Kubernetes Deployment and associated resources, based on the state of the CR.\n\n### API Specification\n\n| Field | Type | Description | Required/Default |\n|-------|:-------------------------------:|--------------------------------------------|------------------|\n| spec | [AuthorinoSpec](#authorinospec) | Specification of the Authorino deployment. | Required |\n\n#### AuthorinoSpec\n\n| Field | Type | Description | Required/Default |\n|--------------------------|:---------------------------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|\n| clusterWide | Boolean | Sets the Authorino instance's [watching scope](https://docs.kuadrant.io/authorino/docs/architecture/#cluster-wide-vs-namespaced-instances) – cluster-wide or namespaced. | Default: `true` (cluster-wide) |\n| authConfigLabelSelectors | String | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `AuthConfig`-related reconciliation events. | Default: empty (all AuthConfigs are watched) |\n| secretLabelSelectors | String | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `Secret`-related reconciliation events (API key and mTLS authentication methods). | Default: `authorino.kuadrant.io/managed-by=authorino` |\n| supersedingHostSubsets | Boolean | Enable/disable allowing AuthConfigs to supersede strict subsets of hosts already taken. | Default: `false` |\n| replicas | Integer | Number of replicas desired for the Authorino instance. Values greater than 1 enable leader election in the Authorino service, where the leader updates the statuses of the `AuthConfig` CRs). | Default: 1 |\n| evaluatorCacheSize | Integer | Cache size (in megabytes) of each Authorino evaluator (when enabled in an [`AuthConfig`](https://docs.kuadrant.io/authorino/docs/features/#common-feature-caching-cache)). | Default: 1 |\n| image | String | Authorino image to be deployed (for dev/testing purpose only). | Default: `quay.io/kuadrant/authorino:latest` |\n| imagePullPolicy | String | Sets the [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images) of the Authorino Deployment (for dev/testing purpose only). | Default: k8s default |\n| logLevel | String | Defines the level of log you want to enable in Authorino (`debug`, `info` and `error`). | Default: `info` |\n| logMode | String | Defines the log mode in Authorino (`development` or `production`). | Default: `production` |\n| listener | [Listener](#listener) | Specification of the authorization service (gRPC interface). | Required |\n| oidcServer | [OIDCServer](#oidcserver) | Specification of the OIDC service. | Required |\n| tracing | [Tracing](#tracing) | Configuration of the OpenTelemetry tracing exporter. | Optional |\n| metrics | [Metrics](#metrics) | Configuration of the metrics server (port, level). | Optional |\n| healthz | [Healthz](#healthz) | Configuration of the health/readiness probe (port). | Optional |\n| volumes | [VolumesSpec](#volumesspec) | Additional volumes to be mounted in the Authorino pods. | Optional |\n\n#### Listener\n\nConfiguration of the authorization server – [gRPC](https://docs.kuadrant.io/authorino/docs/architecture/#overview)\nand [raw HTTP](https://docs.kuadrant.io/authorino/docs/architecture/#raw-http-authorization-interface)\ninterfaces\n\n| Field | Type | Description | Required/Default |\n|---------|:---------------:|-----------------------------------------------------------------------------------------------------------------|------------------------------------------|\n| port | Integer | Port number of authorization server (gRPC interface). | _**DEPRECATED**_\u003cbr/\u003eUse `ports` instead |\n| ports | [Ports](#ports) | Port numbers of the authorization server (gRPC and raw HTTPinterfaces). | Optional |\n| tls | [TLS](#tls) | TLS configuration of the authorization server (GRPC and HTTP interfaces). | Required |\n| timeout | Integer | Timeout of external authorization request (in milliseconds), controlled internally by the authorization server. | Default: `0` (disabled) |\n\n#### OIDCServer\n\nConfiguration of the OIDC Discovery server for [Festival Wristband](https://docs.kuadrant.io/authorino/docs/features/#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband)\ntokens.\n\n| Field | Type | Description | Required/Default |\n|-------|:-----------:|------------------------------------------------------------------------------|------------------|\n| port | Integer | Port number of OIDC Discovery server for Festival Wristband tokens. | Default: `8083` |\n| tls | [TLS](#tls) | TLS configuration of the OIDC Discovery server for Festival Wristband tokens | Required |\n\n#### TLS\n\nTLS configuration of server. Appears in [`listener`](#listener) and [`oidcServer`](#oidcserver).\n\n| Field | Type | Description | Required/Default |\n|---------------|:-------------------------------------------------------------------------------------------------------------------------:|-----------------------------------------------------------------------------------------|-------------------------------|\n| enabled | Boolean | Whether TLS is enabled or disabled for the server. | Default: `true` |\n| certSecretRef | [LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#localobjectreference-v1-core) | The reference to the secret that contains the TLS certificates `tls.crt` and `tls.key`. | Required when `enabled: true` |\n\n#### Ports\n\nPort numbers of the authorization server.\n\n| Field | Type | Description | Required/Default |\n|-------|:-------:|--------------------------------------------------------------------------------------------------------|------------------|\n| grpc | Integer | Port number of the gRPC interface of the authorization server. Set to 0 to disable this interface. | Default: `50001` |\n| http | Integer | Port number of the raw HTTP interface of the authorization server. Set to 0 to disable this interface. | Default: `5001` |\n\n#### Tracing\n\nConfiguration of the OpenTelemetry tracing exporter.\n\n| Field | Type | Description | Required/Default |\n|----------|:-------:|-----------------------------------------------------------------------------------------------------|------------------|\n| endpoint | String | Full endpoint of the OpenTelemetry tracing collector service (e.g. http://jaeger:14268/api/traces). | Required |\n| tags | Map | Key-value map of fixed tags to add to all OpenTelemetry traces emitted by Authorino. | Optional |\n| insecure | Boolean | Enable/disable insecure connection to the tracing endpoint | Default: `false` |\n\n#### Metrics\n\nConfiguration of the metrics server.\n\n| Field | Type | Description | Required/Default |\n|-------|:-------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|\n| port | Integer | Port number of the metrics server. | Default: `8080` |\n| deep | Boolean | Enable/disable metrics at the level of each evaluator config (if requested in the [`AuthConfig`](https://docs.kuadrant.io/authorino/docs/features/#common-feature-metrics-metrics)) exported by the metrics server. | Default: `false` |\n\n#### Healthz\n\nConfiguration of the health/readiness probe (port).\n\n| Field | Type | Description | Required/Default |\n|-------|:-------:|--------------------------------------------|------------------|\n| port | Integer | Port number of the health/readiness probe. | Default: `8081` |\n\n#### VolumesSpec\n\nAdditional volumes to project in the Authorino pods. Useful for validation of TLS self-signed certificates of external\nservices known to have to be contacted by Authorino at runtime.\n\n| Field | Type | Description | Required/Default |\n|-------------|:---------------------------:|------------------------------------------------------------------------------------------------------------------------------------|------------------|\n| items | [[]VolumeSpec](#volumespec) | List of additional volume items to project. | Optional |\n| defaultMode | Integer | Mode bits used to set permissions on the files. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. | Optional |\n\n#### VolumeSpec\n\n| Field | Type | Description | Required/Default |\n|------------|:-----------------------------------------------------------------------------------------------------:|-----------------------------------------------------------------------------------------|--------------------------------------------------|\n| name | String | Name of the volume and volume mount within the Deployment. It must be unique in the CR. | Optional |\n| mountPath | String | Absolute path where to mount all the items. | Required |\n| configMaps | []String | List of of Kubernetes ConfigMap names to mount. | Required exactly one of: `confiMaps`, `secrets`. |\n| secrets | []String | List of of Kubernetes Secret names to mount. | Required exactly one of: `confiMaps`, `secrets`. |\n| items | [[]KeyToPath](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#keytopath-v1-core) | Mount details for selecting specific ConfigMap or Secret entries. | Optional |\n\n### Full example\n\n```yaml\napiVersion: operator.authorino.kuadrant.io/v1beta1\nkind: Authorino\nmetadata:\n name: authorino\nspec:\n clusterWide: true\n authConfigLabelSelectors: environment=production\n secretLabelSelectors: authorino.kuadrant.io/component=authorino,environment=production\n\n replicas: 2\n\n evaluatorCacheSize: 2 # mb\n\n image: quay.io/kuadrant/authorino:latest\n imagePullPolicy: Always\n\n logLevel: debug\n logMode: production\n\n listener:\n ports:\n grpc: 50001\n http: 5001\n tls:\n enabled: true\n certSecretRef:\n name: authorino-server-cert # secret must contain `tls.crt` and `tls.key` entries\n\n oidcServer:\n port: 8083\n tls:\n enabled: true\n certSecretRef:\n name: authorino-oidc-server-cert # secret must contain `tls.crt` and `tls.key` entries\n\n metrics:\n port: 8080\n deep: true\n\n volumes:\n items:\n - name: keycloak-tls-cert\n mountPath: /etc/ssl/certs\n configMaps:\n - keycloak-tls-cert\n items: # details to mount the k8s configmap in the authorino pods\n - key: keycloak.crt\n path: keycloak.crt\n defaultMode: 420\n```\n## Removal\n\n### Removing the operator installed via manifests\n\n1. Undeploy the Operator\n\n```sh\nmake undeploy\n```\n\n2. Remove the Operator manifests\n\n```sh\nmake uninstall\n```\n\n#### Remove dependencies (Optional)\n\n1. Remove operator namespace\n```sh\nmake delete-namespace\n```\n\n2. Uninstall cert manager\n```sh\nmake uninstall-cert-manager\n```\n\n\n## License\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator?ref=badge_large)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuadrant%2Fauthorino-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkuadrant%2Fauthorino-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuadrant%2Fauthorino-operator/lists"}