Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(operator): Add support for managed NetworkPolicy in operator #5922

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(operator): Add support for managed NetworkPolicy in operator #5922

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4f00395
Add support for managed NetworkPolicy in operator
EricWittmann Jan 27, 2025
cd6430b
Delete NetworkPolicy resource in activation condition
EricWittmann Jan 27, 2025
d52e4c2
fix(operator): missing RBAC for NetworkPolicy
jsenko Jan 29, 2025
2242c4d
Apply PR feedback
EricWittmann Jan 29, 2025
7ca4ce3
chore(operator): update install file
jsenko Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions operator/controller/src/main/deploy/rbac/cluster/cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,6 @@ rules:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- "*"
53 changes: 49 additions & 4 deletions ...r/controller/src/main/java/io/apicurio/registry/operator/ApicurioRegistry3Reconciler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,51 @@
import io.apicurio.registry.operator.resource.LabelDiscriminators.AppDeploymentDiscriminator;
import io.apicurio.registry.operator.resource.app.AppDeploymentResource;
import io.apicurio.registry.operator.resource.app.AppIngressResource;
import io.apicurio.registry.operator.resource.app.AppNetworkPolicyResource;
import io.apicurio.registry.operator.resource.app.AppServiceResource;
import io.apicurio.registry.operator.resource.studioui.StudioUIDeploymentResource;
import io.apicurio.registry.operator.resource.studioui.StudioUIIngressResource;
import io.apicurio.registry.operator.resource.studioui.StudioUINetworkPolicyResource;
import io.apicurio.registry.operator.resource.studioui.StudioUIServiceResource;
import io.apicurio.registry.operator.resource.ui.UIDeploymentResource;
import io.apicurio.registry.operator.resource.ui.UIIngressResource;
import io.apicurio.registry.operator.resource.ui.UINetworkPolicyResource;
import io.apicurio.registry.operator.resource.ui.UIServiceResource;
import io.apicurio.registry.operator.updater.IngressCRUpdater;
import io.apicurio.registry.operator.updater.KafkaSqlCRUpdater;
import io.apicurio.registry.operator.updater.SqlCRUpdater;
import io.fabric8.kubernetes.api.model.apps.Deployment;
import io.javaoperatorsdk.operator.api.reconciler.*;
import io.javaoperatorsdk.operator.api.reconciler.Cleaner;
import io.javaoperatorsdk.operator.api.reconciler.Context;
import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
import io.javaoperatorsdk.operator.api.reconciler.DeleteControl;
import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusHandler;
import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusUpdateControl;
import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
import io.javaoperatorsdk.operator.api.reconciler.dependent.Dependent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import static io.apicurio.registry.operator.resource.ActivationConditions.*;
import static io.apicurio.registry.operator.resource.ResourceKey.*;
import static io.apicurio.registry.operator.resource.ActivationConditions.AppIngressActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.AppNetworkPolicyActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUIDeploymentActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUIIngressActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUINetworkPolicyActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.UIIngressActivationCondition;
import static io.apicurio.registry.operator.resource.ActivationConditions.UINetworkPolicyActivationCondition;
import static io.apicurio.registry.operator.resource.ResourceKey.APP_DEPLOYMENT_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.APP_INGRESS_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.APP_NETWORK_POLICY_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.APP_SERVICE_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_DEPLOYMENT_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_INGRESS_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_NETWORK_POLICY_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_SERVICE_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.UI_DEPLOYMENT_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.UI_INGRESS_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.UI_NETWORK_POLICY_ID;
import static io.apicurio.registry.operator.resource.ResourceKey.UI_SERVICE_ID;

// spotless:off
@ControllerConfiguration(
Expand All @@ -42,6 +69,12 @@
dependsOn = {APP_SERVICE_ID},
activationCondition = AppIngressActivationCondition.class
),
@Dependent(
type = AppNetworkPolicyResource.class,
name = APP_NETWORK_POLICY_ID,
dependsOn = {APP_DEPLOYMENT_ID},
activationCondition = AppNetworkPolicyActivationCondition.class
),
// ===== Registry UI
@Dependent(
type = UIDeploymentResource.class,
Expand All @@ -58,6 +91,12 @@
dependsOn = {UI_SERVICE_ID},
activationCondition = UIIngressActivationCondition.class
),
@Dependent(
type = UINetworkPolicyResource.class,
name = UI_NETWORK_POLICY_ID,
dependsOn = {UI_DEPLOYMENT_ID},
activationCondition = UINetworkPolicyActivationCondition.class
),
// ===== Studio UI
@Dependent(
type = StudioUIDeploymentResource.class,
Expand All @@ -74,7 +113,13 @@
name = STUDIO_UI_INGRESS_ID,
dependsOn = {STUDIO_UI_SERVICE_ID},
activationCondition = StudioUIIngressActivationCondition.class
)
),
@Dependent(
type = StudioUINetworkPolicyResource.class,
name = STUDIO_UI_NETWORK_POLICY_ID,
dependsOn = {STUDIO_UI_DEPLOYMENT_ID},
activationCondition = StudioUINetworkPolicyActivationCondition.class
),
}
)
// spotless:on
Expand Down
52 changes: 52 additions & 0 deletions ...controller/src/main/java/io/apicurio/registry/operator/resource/ActivationConditions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,21 @@
import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
import io.apicurio.registry.operator.api.v1.ApicurioRegistry3Spec;
import io.apicurio.registry.operator.api.v1.spec.AppSpec;
import io.apicurio.registry.operator.api.v1.spec.ComponentSpec;
import io.apicurio.registry.operator.api.v1.spec.IngressSpec;
import io.apicurio.registry.operator.api.v1.spec.NetworkPolicySpec;
import io.apicurio.registry.operator.api.v1.spec.StudioUiSpec;
import io.apicurio.registry.operator.api.v1.spec.UiSpec;
import io.apicurio.registry.operator.resource.app.AppIngressResource;
import io.apicurio.registry.operator.resource.app.AppNetworkPolicyResource;
import io.apicurio.registry.operator.resource.studioui.StudioUIDeploymentResource;
import io.apicurio.registry.operator.resource.studioui.StudioUIIngressResource;
import io.apicurio.registry.operator.resource.studioui.StudioUINetworkPolicyResource;
import io.apicurio.registry.operator.resource.ui.UIIngressResource;
import io.apicurio.registry.operator.resource.ui.UINetworkPolicyResource;
import io.fabric8.kubernetes.api.model.apps.Deployment;
import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
import io.javaoperatorsdk.operator.api.reconciler.Context;
import io.javaoperatorsdk.operator.api.reconciler.dependent.DependentResource;
import io.javaoperatorsdk.operator.processing.dependent.workflow.Condition;
Expand Down Expand Up @@ -42,6 +48,21 @@ public boolean isMet(DependentResource<Ingress, ApicurioRegistry3> resource,
}
}

public static class AppNetworkPolicyActivationCondition
implements Condition<NetworkPolicy, ApicurioRegistry3> {
@Override
public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getApp)
.map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
.orElse(Boolean.TRUE);
if (!isManaged) {
((AppNetworkPolicyResource) resource).delete(primary, context);
}
return isManaged;
}
}

// ===== Registry UI

public static class UIIngressActivationCondition implements Condition<Ingress, ApicurioRegistry3> {
Expand All @@ -60,6 +81,21 @@ public boolean isMet(DependentResource<Ingress, ApicurioRegistry3> resource,
}
}

public static class UINetworkPolicyActivationCondition
implements Condition<NetworkPolicy, ApicurioRegistry3> {
@Override
public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getUi)
.map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
.orElse(Boolean.TRUE);
if (!isManaged) {
((UINetworkPolicyResource) resource).delete(primary, context);
}
return isManaged;
}
}

// ===== Studio UI

public static class StudioUIDeploymentActivationCondition
Expand Down Expand Up @@ -93,4 +129,20 @@ public boolean isMet(DependentResource<Ingress, ApicurioRegistry3> resource,
return enabled;
}
}

public static class StudioUINetworkPolicyActivationCondition
implements Condition<NetworkPolicy, ApicurioRegistry3> {
@Override
public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getStudioUi)
.map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
.orElse(Boolean.TRUE);
if (!isManaged) {
((StudioUINetworkPolicyResource) resource).delete(primary, context);
}
return isManaged;
}
}

}
43 changes: 43 additions & 0 deletions .../controller/src/main/java/io/apicurio/registry/operator/resource/LabelDiscriminators.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import io.fabric8.kubernetes.api.model.Service;
import io.fabric8.kubernetes.api.model.apps.Deployment;
import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
import io.javaoperatorsdk.operator.api.reconciler.ResourceDiscriminator;

import java.util.Map;
Expand Down Expand Up @@ -59,6 +60,20 @@ public AppIngressDiscriminator() {
}
}

public static class AppNetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {

public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();

public AppNetworkPolicyDiscriminator() {
// spotless:off
super(Map.of(
"app.kubernetes.io/name", "apicurio-registry",
"app.kubernetes.io/component", COMPONENT_APP
));
// spotless:on
}
}

// ===== Registry UI

public static class UIDeploymentDiscriminator extends LabelDiscriminator<Deployment> {
Expand Down Expand Up @@ -103,6 +118,20 @@ public UIIngressDiscriminator() {
}
}

public static class UINetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {

public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();

public UINetworkPolicyDiscriminator() {
// spotless:off
super(Map.of(
"app.kubernetes.io/name", "apicurio-registry",
"app.kubernetes.io/component", COMPONENT_UI
));
// spotless:on
}
}

// ===== Studio UI

public static class StudioUIDeploymentDiscriminator extends LabelDiscriminator<Deployment> {
Expand Down Expand Up @@ -146,4 +175,18 @@ public StudioUIIngressDiscriminator() {
// spotless:on
}
}

public static class StudioUINetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {

public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();

public StudioUINetworkPolicyDiscriminator() {
// spotless:off
super(Map.of(
"app.kubernetes.io/name", "apicurio-registry",
"app.kubernetes.io/component", COMPONENT_STUDIO_UI
));
// spotless:on
}
}
}
26 changes: 26 additions & 0 deletions ...ator/controller/src/main/java/io/apicurio/registry/operator/resource/ResourceFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import io.fabric8.kubernetes.api.model.apps.Deployment;
import io.fabric8.kubernetes.api.model.apps.DeploymentSpec;
import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;

import java.nio.charset.Charset;
import java.util.ArrayList;
Expand All @@ -37,6 +38,7 @@ public class ResourceFactory {
public static final String RESOURCE_TYPE_DEPLOYMENT = "deployment";
public static final String RESOURCE_TYPE_SERVICE = "service";
public static final String RESOURCE_TYPE_INGRESS = "ingress";
public static final String RESOURCE_TYPE_NETWORK_POLICY = "networkpolicy";

public Deployment getDefaultAppDeployment(ApicurioRegistry3 primary) {
var r = initDefaultDeployment(primary, COMPONENT_APP,
Expand Down Expand Up @@ -240,6 +242,30 @@ private <T extends HasMetadata> T getDefaultResource(ApicurioRegistry3 primary,
return r;
}

public NetworkPolicy getDefaultAppNetworkPolicy(ApicurioRegistry3 primary) {
var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
COMPONENT_APP);
networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
primary.getMetadata().getName());
return networkPolicy;
}

public NetworkPolicy getDefaultUINetworkPolicy(ApicurioRegistry3 primary) {
var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
COMPONENT_UI);
networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
primary.getMetadata().getName());
return networkPolicy;
}

public NetworkPolicy getDefaultStudioUINetworkPolicy(ApicurioRegistry3 primary) {
var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
COMPONENT_STUDIO_UI);
networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
primary.getMetadata().getName());
return networkPolicy;
}

private void addDefaultLabels(Map<String, String> labels, ApicurioRegistry3 primary, String component) {
// spotless:off
labels.putAll(Map.of(
Expand Down
19 changes: 19 additions & 0 deletions operator/controller/src/main/java/io/apicurio/registry/operator/resource/ResourceKey.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import io.fabric8.kubernetes.api.model.Service;
import io.fabric8.kubernetes.api.model.apps.Deployment;
import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
import io.javaoperatorsdk.operator.api.reconciler.ResourceDiscriminator;
import lombok.AllArgsConstructor;
import lombok.EqualsAndHashCode;
Expand All @@ -28,14 +29,17 @@ public class ResourceKey<R> {
public static final String APP_DEPLOYMENT_ID = "AppDeploymentResource";
public static final String APP_SERVICE_ID = "AppServiceResource";
public static final String APP_INGRESS_ID = "AppIngressResource";
public static final String APP_NETWORK_POLICY_ID = "AppNetworkPolicyResource";

public static final String UI_DEPLOYMENT_ID = "UIDeploymentResource";
public static final String UI_SERVICE_ID = "UIServiceResource";
public static final String UI_INGRESS_ID = "UIIngressResource";
public static final String UI_NETWORK_POLICY_ID = "UINetworkPolicyResource";

public static final String STUDIO_UI_DEPLOYMENT_ID = "StudioUIDeploymentResource";
public static final String STUDIO_UI_SERVICE_ID = "StudioUIServiceResource";
public static final String STUDIO_UI_INGRESS_ID = "StudioUIIngressResource";
public static final String STUDIO_UI_NETWORK_POLICY_ID = "StudioUINetworkPolicyResource";

public static final ResourceKey<ApicurioRegistry3> REGISTRY_KEY = new ResourceKey<>(
REGISTRY_ID, ApicurioRegistry3.class,
Expand All @@ -59,6 +63,11 @@ public class ResourceKey<R> {
AppIngressDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultAppIngress
);

public static final ResourceKey<NetworkPolicy> APP_NETWORK_POLICY_KEY = new ResourceKey<>(
APP_NETWORK_POLICY_ID, NetworkPolicy.class,
AppNetworkPolicyDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultAppNetworkPolicy
);

// ===== Registry UI

public static final ResourceKey<Deployment> UI_DEPLOYMENT_KEY = new ResourceKey<>(
Expand All @@ -76,6 +85,11 @@ public class ResourceKey<R> {
UIIngressDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultUIIngress
);

public static final ResourceKey<NetworkPolicy> UI_NETWORK_POLICY_KEY = new ResourceKey<>(
UI_NETWORK_POLICY_ID, NetworkPolicy.class,
UINetworkPolicyDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultUINetworkPolicy
);

// ===== Studio UI

public static final ResourceKey<Deployment> STUDIO_UI_DEPLOYMENT_KEY = new ResourceKey<>(
Expand All @@ -93,6 +107,11 @@ public class ResourceKey<R> {
StudioUIIngressDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultStudioUIIngress
);

public static final ResourceKey<NetworkPolicy> STUDIO_UI_NETWORK_POLICY_KEY = new ResourceKey<>(
STUDIO_UI_NETWORK_POLICY_ID, NetworkPolicy.class,
StudioUINetworkPolicyDiscriminator.INSTANCE, ResourceFactory.INSTANCE::getDefaultStudioUINetworkPolicy
);

// spotless:on

@EqualsAndHashCode.Include
Expand Down
Loading
Loading