dell · jooseppi-luna · Feb 23, 2024 · Feb 15, 2024 · Feb 15, 2024 · Feb 15, 2024
@@ -270,7 +270,7 @@ spec:
           name: grpc
         env:
           - name: NAMESPACE
-            value: authorization
+            value: <NAMESPACE>
         volumeMounts:
         - name: storage-volume
           mountPath: /etc/karavi-authorization/storage

@@ -270,7 +270,7 @@ spec:
           name: grpc
         env:
           - name: NAMESPACE
-            value: authorization
+            value: <NAMESPACE>
         volumeMounts:
         - name: storage-volume
           mountPath: /etc/karavi-authorization/storage

@@ -270,7 +270,7 @@ spec:
           name: grpc
         env:
           - name: NAMESPACE
-            value: authorization
+            value: <NAMESPACE>
         volumeMounts:
         - name: storage-volume
           mountPath: /etc/karavi-authorization/storage

@@ -270,7 +270,7 @@ spec:
           name: grpc
         env:
           - name: NAMESPACE
-            value: authorization
+            value: <NAMESPACE>
         volumeMounts:
         - name: storage-volume
           mountPath: /etc/karavi-authorization/storage

@@ -985,8 +985,10 @@ func authProxyStatusCheck(ctx context.Context, instance *csmv1.ContainerStorageM
 		}
 	}
 
+	authNamespace := instance.GetNamespace()
+
 	opts := []client.ListOption{
-		client.InNamespace(instance.GetNamespace()),
+		client.InNamespace(authNamespace),
 	}
 	deploymentList := &appsv1.DeploymentList{}
 	err := r.GetClient().List(ctx, deploymentList, opts...)
@@ -1001,7 +1003,7 @@ func authProxyStatusCheck(ctx context.Context, instance *csmv1.ContainerStorageM
 	for _, deployment := range deploymentList.Items {
 		deployment := deployment
 		switch deployment.Name {
-		case "authorization-ingress-nginx-controller":
+		case fmt.Sprintf("%s-ingress-nginx-controller", authNamespace):
 			if nginxEnabled {
 				if !checkFn(&deployment) {
 					log.Info("%s component not running in auth proxy deployment", deployment.Name)

@@ -501,16 +501,17 @@ func checkAuthorizationProxyServerNoRunningPods(ctx context.Context, namespace s
 	return nil
 }
 
-func getPortContainerizedAuth() (string, error) {
+func getPortContainerizedAuth(namespace string) (string, error) {
 	port := ""
+	service := namespace + "-ingress-nginx-controller"
 	b, err := exec.Command(
 		"kubectl", "get",
-		"service", "authorization-ingress-nginx-controller",
-		"-n", "authorization",
+		"service", service,
+		"-n", namespace,
 		"-o", `jsonpath="{.spec.ports[1].nodePort}"`,
 	).CombinedOutput()
 	if err != nil {
-		return "", fmt.Errorf("failed to get authorization-ingress-nginx-controller port: %s", b)
+		return "", fmt.Errorf("failed to get %s-ingress-nginx-controller port in namespace: %s: %s", namespace, namespace, b)
 	}
 	port = strings.Replace(string(b), `"`, "", -1)
 	return port, nil

@@ -864,7 +864,7 @@ func (step *Step) validateAuthorizationProxyServerInstalled(cr csmv1.ContainerSt
 	}
 	for _, cluster := range clusterClients {
 		// check AuthorizationProxyServer in all clusters
-		if err := checkAuthorizationProxyServerPods(context.TODO(), utils.AuthorizationNamespace, cluster.ClusterK8sClient); err != nil {
+		if err := checkAuthorizationProxyServerPods(context.TODO(), cr.Namespace, cluster.ClusterK8sClient); err != nil {
 			return fmt.Errorf("failed to check for AuthorizationProxyServer installation in %s: %v", cluster.ClusterID, err)
 		}
 	}
@@ -887,7 +887,7 @@ func (step *Step) validateAuthorizationProxyServerNotInstalled(cr csmv1.Containe
 	}
 	for _, cluster := range clusterClients {
 		// check AuthorizationProxyServer is not installed
-		if err := checkAuthorizationProxyServerNoRunningPods(context.TODO(), utils.AuthorizationNamespace, cluster.ClusterK8sClient); err != nil {
+		if err := checkAuthorizationProxyServerNoRunningPods(context.TODO(), cr.Namespace, cluster.ClusterK8sClient); err != nil {
 			return fmt.Errorf("failed AuthorizationProxyServer installation check %s: %v", cluster.ClusterID, err)
 		}
 	}
@@ -929,18 +929,18 @@ func (step *Step) validateAppMobInstalled(cr csmv1.ContainerStorageModule) error
 func (step *Step) authProxyServerPrereqs(cr csmv1.ContainerStorageModule) error {
 	fmt.Println("=== Creating Authorization Proxy Server Prerequisites ===")
 
-	cmd := exec.Command("kubectl", "get", "ns", "authorization")
+	cmd := exec.Command("kubectl", "get", "ns", cr.Namespace)
 	err := cmd.Run()
 	if err == nil {
-		cmd = exec.Command("kubectl", "delete", "ns", "authorization")
+		cmd = exec.Command("kubectl", "delete", "ns", cr.Namespace)
 		b, err := cmd.CombinedOutput()
 		if err != nil {
 			return fmt.Errorf("failed to delete authorization namespace: %v\nErrMessage:\n%s", err, string(b))
 		}
 	}
 
 	cmd = exec.Command("kubectl", "create",
-		"ns", "authorization",
+		"ns", cr.Namespace,
 	)
 	b, err := cmd.CombinedOutput()
 	if err != nil {
@@ -960,15 +960,15 @@ func (step *Step) authProxyServerPrereqs(cr csmv1.ContainerStorageModule) error
 	cmd = exec.Command("kubectl", "create",
 		"secret", "generic",
 		"karavi-config-secret",
-		"-n", "authorization",
+		"-n", cr.Namespace,
 		"--from-file=config.yaml=testfiles/authorization-templates/csm_authorization_config.yaml",
 	)
 	b, err = cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("failed to create config secret for JWT: %v\nErrMessage:\n%s", err, string(b))
 	}
 
-	cmd = exec.Command("kubectl", "create",
+	cmd = exec.Command("kubectl", "create", "-n", cr.Namespace,
 		"-f", "testfiles/authorization-templates/csm_authorization_storage_secret.yaml",
 	)
 	b, err = cmd.CombinedOutput()
@@ -994,7 +994,7 @@ func (step *Step) authProxyServerPrereqs(cr csmv1.ContainerStorageModule) error
 		return fmt.Errorf("failed to create local storage for redis: %v\nErrMessage:\n%s", err, string(b))
 	}
 
-	cmd = exec.Command("kubectl", "create",
+	cmd = exec.Command("kubectl", "create", "-n", cr.Namespace,
 		"-f", "testfiles/authorization-templates/csm_authorization_certificate.yaml",
 	)
 	b, err = cmd.CombinedOutput()
@@ -1005,9 +1005,12 @@ func (step *Step) authProxyServerPrereqs(cr csmv1.ContainerStorageModule) error
 	return nil
 }
 
-func (step *Step) configureAuthorizationProxyServer(res Resource, driver string) error {
+func (step *Step) configureAuthorizationProxyServer(res Resource, driver string, crNumStr string) error {
 	fmt.Println("=== Configuring Authorization Proxy Server ===")
 
+	crNum, _ := strconv.Atoi(crNumStr)
+	cr := res.CustomResource[crNum-1]
+
 	var b []byte
 	var err error
 
@@ -1070,7 +1073,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string)
 
 	proxyHost = os.Getenv("PROXY_HOST")
 
-	port, err := getPortContainerizedAuth()
+	port, err := getPortContainerizedAuth(cr.Namespace)
 	if err != nil {
 		return err
 	}

@@ -72,7 +72,7 @@ func StepRunnerInit(runner *Runner, ctrlClient client.Client, clientSet *kuberne
 	runner.addStep(`^Create \[([^"]*)\] prerequisites from CR \[(\d+)\]$`, step.createPrereqs)
 
 	// Configure authorization-proxy-server for [powerflex]
-	runner.addStep(`^Configure authorization-proxy-server for \[([^"]*)\]$`, step.configureAuthorizationProxyServer)
+	runner.addStep(`^Configure authorization-proxy-server for \[([^"]*)\] for CR \[(\d+)\]$`, step.configureAuthorizationProxyServer)
 	runner.addStep(`^Set up application mobility CR \[([^"]*)\]$`, step.configureAMInstall)
 
 	// Connectivity Client steps

@@ -2,15 +2,13 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: selfsigned
-  namespace: authorization
 spec:
   selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: karavi-auth
-  namespace: authorization
 spec:
   secretName: karavi-auth-tls
   duration: 2160h # 90d

@@ -0,0 +1,74 @@
+apiVersion: storage.dell.com/v1
+kind: ContainerStorageModule
+metadata:
+  name: authorization
+  namespace: proxy-ns
+spec:
+  modules:
+    # Authorization: enable csm-authorization proxy server for RBAC
+    - name: authorization-proxy-server
+      # enable: Enable/Disable csm-authorization
+      enabled: true
+      configVersion: v1.9.1
+      forceRemoveModule: true
+      components:
+      - name: karavi-authorization-proxy-server
+        # enable: Enable/Disable csm-authorization proxy server
+        enabled: true
+        proxyService: dellemc/csm-authorization-proxy:nightly
+        tenantService: dellemc/csm-authorization-tenant:nightly
+        roleService: dellemc/csm-authorization-role:nightly
+        storageService: dellemc/csm-authorization-storage:nightly
+        redis: redis:6.0.8-alpine
+        commander: rediscommander/redis-commander:latest
+        opa: openpolicyagent/opa
+        opaKubeMgmt: openpolicyagent/kube-mgmt:0.11
+        envs:
+          # base hostname for the ingress rules that expose the services
+          # the proxy-server ingress will use this hostname
+          # the storage-service ingress will use storage.hostname
+          # Allowed values: string
+          # Default value: csm-authorization.com
+          - name: "PROXY_HOST"
+            value: "csm-authorization.com"
+
+          # Proxy-service ingress configuration
+          # Default value: nginx
+          - name: "PROXY_INGRESS_CLASSNAME"
+            value: "nginx"
+          # An additional host rule for the proxy-server ingress
+          # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local
+          - name: "PROXY_INGRESS_HOST"
+            value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local"
+
+          # Specify storage class for redis. Otherwise, default storage class is used.
+          # Default value: None
+          - name: "REDIS_STORAGE_CLASS"
+            value: "local-storage"
+
+      # enabled: Enable/Disable nginx ingress
+      # Allowed values:
+      #   true: enable deployment of nginx ingress controller
+      #   false: disable deployment of nginx ingress only if you have your own ingress controller
+      # Default value: true
+      - name: ingress-nginx
+        enabled: true
+
+      # enabled: Enable/Disable cert-manager
+      # Allowed values:
+      #   true: enable deployment of cert-manager
+      #   false: disable deployment of cert-manager only if it's already deployed
+      # Default value: true
+      - name: cert-manager
+        enabled: true
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: csm-config-params
+  namespace: proxy-ns
+data:
+  csm-config-params.yaml: |
+    CONCURRENT_POWERFLEX_REQUESTS: 10
+    LOG_LEVEL: debug
@@ -3,6 +3,5 @@ kind: Secret
 type: Opaque
 metadata:
   name: karavi-storage-secret
-  namespace: authorization
 data:
   storage-systems.yaml: c3RvcmFnZToK
@@ -84,7 +84,7 @@
     - "Create [authorization-proxy-server] prerequisites from CR [1]"
     - "Apply custom resource [1]"
     - "Validate [authorization-proxy-server] module from CR [1] is installed"
-    - "Configure authorization-proxy-server for [powerflex]"
+    - "Configure authorization-proxy-server for [powerflex] for CR [1]"
     - "Create storageclass with name [op-e2e-vxflexos] and template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]"
     - "Set up secret with template [testfiles/powerflex-templates/csm-authorization-config.json] name [karavi-authorization-config] in namespace [test-vxflexos] for [pflexAuthSidecar]"
     - "Set up secret with template [testfiles/powerflex-templates/powerflex-secret-template.yaml] name [test-vxflexos-config] in namespace [test-vxflexos] for [pflexAuth]"
@@ -116,7 +116,7 @@
     - "Create [authorization-proxy-server] prerequisites from CR [1]"
     - "Apply custom resource [1]"
     - "Validate [authorization-proxy-server] module from CR [1] is installed"
-    - "Configure authorization-proxy-server for [powerflex]"
+    - "Configure authorization-proxy-server for [powerflex] for CR [1]"
     - "Set up secret with template [testfiles/powerflex-templates/csm-authorization-config.json] name [karavi-authorization-config] in namespace [test-vxflexos] for [pflexAuthSidecar]"
     - "Create storageclass with name [op-e2e-vxflexos] and template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]"
     - "Set up secret with template [testfiles/powerflex-templates/powerflex-secret-template.yaml] name [test-vxflexos-config] in namespace [test-vxflexos] for [pflex]"
@@ -154,7 +154,7 @@
     - "Create [authorization-proxy-server] prerequisites from CR [1]"
     - "Apply custom resource [1]"
     - "Validate [authorization-proxy-server] module from CR [1] is installed"
-    - "Configure authorization-proxy-server for [powerflex]"
+    - "Configure authorization-proxy-server for [powerflex] for CR [1]"
     - "Set up secret with template [testfiles/powerflex-templates/csm-authorization-config.json] name [karavi-authorization-config] in namespace [test-vxflexos] for [pflexAuthSidecar]"
     - "Create storageclass with name [op-e2e-vxflexos] and template [testfiles/powerflex-templates/powerflex-storageclass-template.yaml] for [pflex]"
     - "Set up secret with template [testfiles/powerflex-templates/powerflex-secret-template.yaml] name [test-vxflexos-config] in namespace [test-vxflexos] for [pflexAuth]"