AuthConfig conversion webhook

Deploys the AuthConfig CRD conversion webhook (based on the Authorino container image), as part of deploying the Operator.

This is because the conversion webhook is a single deployment per cluster (similarly to the Operator itself), nevertheless it's based on the Authorino code base (which owns the AuthConfig type and therefore the functions to convert between versions of the CRD).

This change introduces a dependency of the Operator on cert-manager (https://cert-manager.io).

Makefile

@@ -137,6 +137,7 @@ manifests: controller-gen kustomize authorino-manifests ## Generate WebhookConfi
 
 .PHONY: authorino-manifests
 authorino-manifests: export AUTHORINO_GITREF := $(AUTHORINO_BRANCH)
+authorino-manifests: export AUTHORINO_VERSION := $(AUTHORINO_VERSION)
 authorino-manifests: ## Update authorino manifests.
 	envsubst \
         < config/authorino/kustomization.template.yaml \

bundle/manifests/authorino-operator.clusterserviceversion.yaml

@@ -280,6 +280,45 @@ spec:
                 runAsNonRoot: true
               serviceAccountName: authorino-operator
               terminationGracePeriodSeconds: 10
+      - label:
+          app: authorino
+          authorino-component: authorino-webhooks
+        name: authorino-webhooks
+        spec:
+          selector:
+            matchLabels:
+              app: authorino
+              authorino-component: authorino-webhooks
+          strategy: {}
+          template:
+            metadata:
+              labels:
+                app: authorino
+                authorino-component: authorino-webhooks
+            spec:
+              containers:
+              - command:
+                - authorino
+                - webhooks
+                image: quay.io/kuadrant/authorino:latest
+                name: webhooks
+                ports:
+                - containerPort: 9443
+                  name: webhooks
+                - containerPort: 8080
+                  name: metrics
+                - containerPort: 8081
+                  name: healthz
+                resources: {}
+                volumeMounts:
+                - mountPath: /tmp/k8s-webhook-server/serving-certs
+                  name: cert
+                  readOnly: true
+              volumes:
+              - name: cert
+                secret:
+                  defaultMode: 420
+                  secretName: authorino-webhook-server-cert
       permissions:
       - rules:
         - apiGroups:
@@ -314,6 +353,47 @@ spec:
           - create
           - patch
         serviceAccountName: authorino-operator
+      - rules:
+        - apiGroups:
+          - authorino.kuadrant.io
+          resources:
+          - authconfigs
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - authorino.kuadrant.io
+          resources:
+          - authconfigs/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - create
+          - get
+          - list
+          - update
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          - events
+          verbs:
+          - create
+          - get
+          - list
+          - update
+        serviceAccountName: default
     strategy: deployment
   installModes:
   - supported: false
@@ -347,3 +427,16 @@ spec:
   provider:
     name: Red Hat
   version: 0.0.0
+  webhookdefinitions:
+  - admissionReviewVersions:
+    - v1beta1
+    - v1beta2
+    containerPort: 443
+    conversionCRDs:
+    - authconfigs.authorino.kuadrant.io
+    deploymentName: authorino-webhooks
+    generateName: cauthconfigs.kb.io
+    sideEffects: None
+    targetPort: 9443
+    type: ConversionWebhook
+    webhookPath: /convert

bundle/manifests/authorino-webhooks_v1_service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app: authorino
+    authorino-component: authorino-webhooks
+  name: authorino-webhooks
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app: authorino
+    authorino-component: authorino-webhooks
+status:
+  loadBalancer: {}

bundle/manifests/authorino.kuadrant.io_authconfigs.yaml

@@ -2,10 +2,22 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert
     controller-gen.kubebuilder.io/version: v0.9.0
   creationTimestamp: null
   name: authconfigs.authorino.kuadrant.io
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: authorino-webhooks
+          namespace: authorino-operator
+          path: /convert
+      conversionReviewVersions:
+      - v1beta1
+      - v1beta2
   group: authorino.kuadrant.io
   names:
     kind: AuthConfig

config/authorino/kustomization.template.yaml

@@ -1,2 +1,74 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 resources:
 - github.com/Kuadrant/authorino/install?ref=${AUTHORINO_GITREF}
+- webhook
+
+# Configures the conversion webhook
+images:
+- name: AUTHORINO_IMAGE
+  newName: quay.io/kuadrant/authorino
+  newTag: ${AUTHORINO_VERSION}
+
+patchesStrategicMerge:
+- webhook/patches/webhook_in_authconfigs.yaml
+
+replacements:
+- source:
+    fieldPath: .metadata.namespace
+    group: cert-manager.io
+    kind: Certificate
+    name: authorino-webhook-server-cert
+    version: v1
+  targets:
+  - fieldPaths:
+    - .metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      create: true
+      delimiter: /
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.name
+    group: cert-manager.io
+    kind: Certificate
+    name: authorino-webhook-server-cert
+    version: v1
+  targets:
+  - fieldPaths:
+    - .metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      create: true
+      delimiter: /
+      index: 1
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.name
+    kind: Service
+    name: authorino-webhooks
+    version: v1
+  targets:
+  - fieldPaths:
+    - .spec.conversion.webhook.clientConfig.service.name
+    options:
+      create: true
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.namespace
+    kind: Service
+    name: authorino-webhooks
+    version: v1
+  targets:
+  - fieldPaths:
+    - .spec.conversion.webhook.clientConfig.service.namespace
+    options:
+      create: true
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io

config/authorino/kustomization.yaml

@@ -1,2 +1,74 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 resources:
 - github.com/Kuadrant/authorino/install?ref=main
+- webhook
+
+# Configures the conversion webhook
+images:
+- name: AUTHORINO_IMAGE
+  newName: quay.io/kuadrant/authorino
+  newTag: latest
+
+patchesStrategicMerge:
+- webhook/patches/webhook_in_authconfigs.yaml
+
+replacements:
+- source:
+    fieldPath: .metadata.namespace
+    group: cert-manager.io
+    kind: Certificate
+    name: authorino-webhook-server-cert
+    version: v1
+  targets:
+  - fieldPaths:
+    - .metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      create: true
+      delimiter: /
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.name
+    group: cert-manager.io
+    kind: Certificate
+    name: authorino-webhook-server-cert
+    version: v1
+  targets:
+  - fieldPaths:
+    - .metadata.annotations.[cert-manager.io/inject-ca-from]
+    options:
+      create: true
+      delimiter: /
+      index: 1
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.name
+    kind: Service
+    name: authorino-webhooks
+    version: v1
+  targets:
+  - fieldPaths:
+    - .spec.conversion.webhook.clientConfig.service.name
+    options:
+      create: true
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io
+- source:
+    fieldPath: .metadata.namespace
+    kind: Service
+    name: authorino-webhooks
+    version: v1
+  targets:
+  - fieldPaths:
+    - .spec.conversion.webhook.clientConfig.service.namespace
+    options:
+      create: true
+    select:
+      kind: CustomResourceDefinition
+      name: authconfigs.authorino.kuadrant.io

config/authorino/webhook/certificate.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: system
+  name: webhooks-ca
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  namespace: system
+  name: webhook-server-cert
+spec:
+  dnsNames:
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: authorino-webhooks-ca
+  secretName: authorino-webhook-server-cert

config/authorino/webhook/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: system
+  name: webhooks
+spec:
+  selector: {}
+  template:
+    spec:
+      containers:
+      - name: webhooks
+        image: AUTHORINO_IMAGE
+        command:
+        - authorino
+        - webhooks
+        ports:
+        - name: webhooks
+          containerPort: 9443
+        - name: metrics
+          containerPort: 8080
+        - name: healthz
+          containerPort: 8081
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+        resources: {}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: authorino-webhook-server-cert