https://github.com/kuadrant/authorino-operator
Kubernetes Operator to manage Authorino instances
https://github.com/kuadrant/authorino-operator
Last synced: 5 months ago
JSON representation
Kubernetes Operator to manage Authorino instances
- Host: GitHub
- URL: https://github.com/kuadrant/authorino-operator
- Owner: Kuadrant
- License: apache-2.0
- Created: 2021-10-11T09:51:47.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2025-04-10T15:34:17.000Z (about 1 year ago)
- Last Synced: 2025-04-10T16:52:59.253Z (about 1 year ago)
- Language: Go
- Homepage:
- Size: 959 KB
- Stars: 10
- Watchers: 6
- Forks: 22
- Open Issues: 13
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Authorino Operator
A Kubernetes Operator to manage [Authorino](https://github.com/Kuadrant/authorino) instances.
[](http://www.apache.org/licenses/LICENSE-2.0)
[](https://codecov.io/gh/Kuadrant/authorino-operator)
[](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator?ref=badge_shield)
## Installation
The Operator can be installed by applying the manifests to the Kubernetes cluster or using [Operator Lifecycle Manager (OLM)](https://olm.operatorframework.io/)
### Applying the manifests to the cluster
1. Install the Operator manifests
```sh
make install
```
2. Deploy the Operator
```sh
make deploy
```
Tip: Deploy a custom image of the Operator
To deploy an image of the Operator other than the default quay.io/kuadrant/authorino-operator:latest, specify by setting the OPERATOR_IMAGE parameter. E.g.:
```sh
make deploy OPERATOR_IMAGE=authorino-operator:local
```
### Installing via OLM
To install the Operator using the [Operator Lifecycle Manager](https://olm.operatorframework.io/), you need to make the
Operator CSVs available in the cluster by creating a `CatalogSource` resource.
The bundle and catalog images of the Operator are available in Quay.io:
Bundle
quay.io/kuadrant/authorino-operator-bundle
Catalog
quay.io/kuadrant/authorino-operator-catalog
1. Create the namespace for the Operator
```sh
kubectl create namespace authorino-operator
```
2. Create the [CatalogSource](https://olm.operatorframework.io/docs/concepts/crds/catalogsource) resource pointing to
one of the images from in the Operator's catalog repo:
```sh
kubectl -n authorino-operator apply -f -<Use `ports` instead |
| ports | [Ports](#ports) | Port numbers of the authorization server (gRPC and raw HTTPinterfaces). | Optional |
| tls | [TLS](#tls) | TLS configuration of the authorization server (GRPC and HTTP interfaces). | Required |
| timeout | Integer | Timeout of external authorization request (in milliseconds), controlled internally by the authorization server. | Default: `0` (disabled) |
#### OIDCServer
Configuration of the OIDC Discovery server for [Festival Wristband](https://docs.kuadrant.io/authorino/docs/features/#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband)
tokens.
| Field | Type | Description | Required/Default |
|-------|:-----------:|------------------------------------------------------------------------------|------------------|
| port | Integer | Port number of OIDC Discovery server for Festival Wristband tokens. | Default: `8083` |
| tls | [TLS](#tls) | TLS configuration of the OIDC Discovery server for Festival Wristband tokens | Required |
#### TLS
TLS configuration of server. Appears in [`listener`](#listener) and [`oidcServer`](#oidcserver).
| Field | Type | Description | Required/Default |
|---------------|:-------------------------------------------------------------------------------------------------------------------------:|-----------------------------------------------------------------------------------------|-------------------------------|
| enabled | Boolean | Whether TLS is enabled or disabled for the server. | Default: `true` |
| certSecretRef | [LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#localobjectreference-v1-core) | The reference to the secret that contains the TLS certificates `tls.crt` and `tls.key`. | Required when `enabled: true` |
#### Ports
Port numbers of the authorization server.
| Field | Type | Description | Required/Default |
|-------|:-------:|--------------------------------------------------------------------------------------------------------|------------------|
| grpc | Integer | Port number of the gRPC interface of the authorization server. Set to 0 to disable this interface. | Default: `50001` |
| http | Integer | Port number of the raw HTTP interface of the authorization server. Set to 0 to disable this interface. | Default: `5001` |
#### Tracing
Configuration of the OpenTelemetry tracing exporter.
| Field | Type | Description | Required/Default |
|----------|:-------:|-----------------------------------------------------------------------------------------------------|------------------|
| endpoint | String | Full endpoint of the OpenTelemetry tracing collector service (e.g. http://jaeger:14268/api/traces). | Required |
| tags | Map | Key-value map of fixed tags to add to all OpenTelemetry traces emitted by Authorino. | Optional |
| insecure | Boolean | Enable/disable insecure connection to the tracing endpoint | Default: `false` |
#### Metrics
Configuration of the metrics server.
| Field | Type | Description | Required/Default |
|-------|:-------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|
| port | Integer | Port number of the metrics server. | Default: `8080` |
| deep | Boolean | Enable/disable metrics at the level of each evaluator config (if requested in the [`AuthConfig`](https://docs.kuadrant.io/authorino/docs/features/#common-feature-metrics-metrics)) exported by the metrics server. | Default: `false` |
#### Healthz
Configuration of the health/readiness probe (port).
| Field | Type | Description | Required/Default |
|-------|:-------:|--------------------------------------------|------------------|
| port | Integer | Port number of the health/readiness probe. | Default: `8081` |
#### VolumesSpec
Additional volumes to project in the Authorino pods. Useful for validation of TLS self-signed certificates of external
services known to have to be contacted by Authorino at runtime.
| Field | Type | Description | Required/Default |
|-------------|:---------------------------:|------------------------------------------------------------------------------------------------------------------------------------|------------------|
| items | [[]VolumeSpec](#volumespec) | List of additional volume items to project. | Optional |
| defaultMode | Integer | Mode bits used to set permissions on the files. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. | Optional |
#### VolumeSpec
| Field | Type | Description | Required/Default |
|------------|:-----------------------------------------------------------------------------------------------------:|-----------------------------------------------------------------------------------------|--------------------------------------------------|
| name | String | Name of the volume and volume mount within the Deployment. It must be unique in the CR. | Optional |
| mountPath | String | Absolute path where to mount all the items. | Required |
| configMaps | []String | List of of Kubernetes ConfigMap names to mount. | Required exactly one of: `confiMaps`, `secrets`. |
| secrets | []String | List of of Kubernetes Secret names to mount. | Required exactly one of: `confiMaps`, `secrets`. |
| items | [[]KeyToPath](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#keytopath-v1-core) | Mount details for selecting specific ConfigMap or Secret entries. | Optional |
### Full example
```yaml
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
clusterWide: true
authConfigLabelSelectors: environment=production
secretLabelSelectors: authorino.kuadrant.io/component=authorino,environment=production
replicas: 2
evaluatorCacheSize: 2 # mb
image: quay.io/kuadrant/authorino:latest
imagePullPolicy: Always
logLevel: debug
logMode: production
listener:
ports:
grpc: 50001
http: 5001
tls:
enabled: true
certSecretRef:
name: authorino-server-cert # secret must contain `tls.crt` and `tls.key` entries
oidcServer:
port: 8083
tls:
enabled: true
certSecretRef:
name: authorino-oidc-server-cert # secret must contain `tls.crt` and `tls.key` entries
metrics:
port: 8080
deep: true
volumes:
items:
- name: keycloak-tls-cert
mountPath: /etc/ssl/certs
configMaps:
- keycloak-tls-cert
items: # details to mount the k8s configmap in the authorino pods
- key: keycloak.crt
path: keycloak.crt
defaultMode: 420
```
## Removal
### Removing the operator installed via manifests
1. Undeploy the Operator
```sh
make undeploy
```
2. Remove the Operator manifests
```sh
make uninstall
```
#### Remove dependencies (Optional)
1. Remove operator namespace
```sh
make delete-namespace
```
2. Uninstall cert manager
```sh
make uninstall-cert-manager
```
## License
[](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino-operator?ref=badge_large)