opendatahub-io · bartoszmajsak · Sep 20, 2023 · Oct 17, 2023 · Oct 26, 2023 · Oct 26, 2023
diff --git a/Makefile b/Makefile
@@ -308,7 +308,7 @@ toolbox: ## Create a toolbox instance with the proper Golang and Operator SDK ve
 	toolbox create opendatahub-toolbox --image localhost/opendatahub-toolbox:latest
 
 # Run tests.
-TEST_SRC=./controllers/... ./tests/integration/features/...
+TEST_SRC=./controllers/... ./tests/integration/...
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.

diff --git a/apis/dscinitialization/v1/dscinitialization_types.go b/apis/dscinitialization/v1/dscinitialization_types.go
@@ -35,9 +35,13 @@ type DSCInitializationSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=2
 	// +optional
 	Monitoring Monitoring `json:"monitoring,omitempty"`
+	// Enable Service Mesh for Data Science Clusters
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
+	// +optional
+	ServiceMesh ServiceMeshSpec `json:"serviceMesh,omitempty"`
 	// Internal development useful field to test customizations.
 	// This is not recommended to be used in production environment.
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
 	// +optional
 	DevFlags DevFlags `json:"devFlags,omitempty"`
 }

diff --git a/apis/dscinitialization/v1/servicemesh_types.go b/apis/dscinitialization/v1/servicemesh_types.go
@@ -0,0 +1,80 @@
+package v1
+
+import (
+	operatorv1 "github.com/openshift/api/operator/v1"
+)
+
+// ServiceMeshSpec configures Service Mesh.
+type ServiceMeshSpec struct {
+	// +kubebuilder:validation:Enum=Managed;Removed
+	// +kubebuilder:default=Removed
+	ManagementState operatorv1.ManagementState `json:"managementState,omitempty"`
+	// Mesh holds configuration of Service Mesh used by Opendatahub.
+	Mesh MeshSpec `json:"mesh,omitempty"`
+	// Auth holds configuration of authentication and authorization services
+	// used by Service Mesh in Opendatahub.
+	Auth AuthSpec `json:"auth,omitempty"`
+}
+
+type MeshSpec struct {
+	// Name is a name Service Mesh Control Plan. Defaults to "basic".
+	// +kubebuilder:default=basic
+	Name string `json:"name,omitempty"`
+	// Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system".
+	// +kubebuilder:default=istio-system
+	Namespace string `json:"namespace,omitempty"`
+	// Certificate allows to define how to use certificates for the Service Mesh communication.
+	Certificate CertSpec `json:"certificate,omitempty"`
+}
+
+type CertSpec struct {
+	// Name of the certificate to be used by Service Mesh.
+	// +kubebuilder:default=opendatahub-dashboard-cert
+	Name string `json:"name,omitempty"`
+	// Generate indicates if the certificate should be generated. If set to false
+	// it will assume certificate with the given name is made available as a secret
+	// in Service Mesh namespace.
+	// +kubebuilder:default=true
+	Generate bool `json:"generate,omitempty"`
+}
+
+type AuthSpec struct {
+	// Name of the authorization provider used for Service Mesh.
+	// +kubebuilder:default=authorino
+	Name string `json:"name,omitempty"`
+	// Namespace where it is deployed.
+	// +kubebuilder:default=auth-provider
+	Namespace string `json:"namespace,omitempty"`
+	// Authorino holds configuration of Authorino service used as external authorization provider.
+	Authorino AuthorinoSpec `json:"authorino,omitempty"`
+}
+
+type AuthorinoSpec struct {
+	// Name specifies how external authorization provider should be called.
+	// +kubebuilder:default=authorino-mesh-authz-provider
+	Name string `json:"name,omitempty"`
+	// Audiences is a list of the identifiers that the resource server presented
+	// with the token identifies as. Audience-aware token authenticators will verify
+	// that the token was intended for at least one of the audiences in this list.
+	// If no audiences are provided, the audience will default to the audience of the
+	// Kubernetes apiserver (kubernetes.default.svc).
+	// +kubebuilder:default={"https://kubernetes.default.svc"}
+	Audiences []string `json:"audiences,omitempty"`
+	// Label narrows amount of AuthConfigs to process by Authorino service.
+	// +kubebuilder:default=authorino/topic=odh
+	Label string `json:"label,omitempty"`
+	// Image allows to define a custom container image to be used when deploying Authorino's instance.
+	// +kubebuilder:default="quay.io/kuadrant/authorino:v0.13.0"
+	Image string `json:"image,omitempty"`
+}
+
+// TODO move logic to sth like management state
+// IsValid returns true if the spec is a valid and complete.
+// If invalid it provides message with the reasons.
+func (s *ServiceMeshSpec) IsValid() (bool, string) {
+	if s.Auth.Name != "authorino" {
+		return false, "currently only Authorino is available as authorization layer"
+	}
+
+	return true, ""
+}
diff --git a/apis/dscinitialization/v1/zz_generated.deepcopy.go b/apis/dscinitialization/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml b/bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
@@ -80,6 +80,96 @@ spec:
                     description: Namespace for monitoring if it is enabled
                     type: string
                 type: object
+              serviceMesh:
+                description: Enable Service Mesh for Data Science Clusters
+                properties:
+                  auth:
+                    description: Auth holds configuration of authentication and authorization
+                      services used by Service Mesh in Opendatahub.
+                    properties:
+                      authorino:
+                        description: Authorino holds configuration of Authorino service
+                          used as external authorization provider.
+                        properties:
+                          audiences:
+                            default:
+                            - https://kubernetes.default.svc
+                            description: Audiences is a list of the identifiers that
+                              the resource server presented with the token identifies
+                              as. Audience-aware token authenticators will verify
+                              that the token was intended for at least one of the
+                              audiences in this list. If no audiences are provided,
+                              the audience will default to the audience of the Kubernetes
+                              apiserver (kubernetes.default.svc).
+                            items:
+                              type: string
+                            type: array
+                          image:
+                            default: quay.io/kuadrant/authorino:v0.13.0
+                            description: Image allows to define a custom container
+                              image to be used when deploying Authorino's instance.
+                            type: string
+                          label:
+                            default: authorino/topic=odh
+                            description: Label narrows amount of AuthConfigs to process
+                              by Authorino service.
+                            type: string
+                          name:
+                            default: authorino-mesh-authz-provider
+                            description: Name specifies how external authorization
+                              provider should be called.
+                            type: string
+                        type: object
+                      name:
+                        default: authorino
+                        description: Name of the authorization provider used for Service
+                          Mesh.
+                        type: string
+                      namespace:
+                        default: auth-provider
+                        description: Namespace where it is deployed.
+                        type: string
+                    type: object
+                  managementState:
+                    default: Removed
+                    enum:
+                    - Managed
+                    - Removed
+                    pattern: ^(Managed|Unmanaged|Force|Removed)$
+                    type: string
+                  mesh:
+                    description: Mesh holds configuration of Service Mesh used by
+                      Opendatahub.
+                    properties:
+                      certificate:
+                        description: Certificate allows to define how to use certificates
+                          for the Service Mesh communication.
+                        properties:
+                          generate:
+                            default: true
+                            description: Generate indicates if the certificate should
+                              be generated. If set to false it will assume certificate
+                              with the given name is made available as a secret in
+                              Service Mesh namespace.
+                            type: boolean
+                          name:
+                            default: opendatahub-dashboard-cert
+                            description: Name of the certificate to be used by Service
+                              Mesh.
+                            type: string
+                        type: object
+                      name:
+                        default: basic
+                        description: Name is a name Service Mesh Control Plan. Defaults
+                          to "basic".
+                        type: string
+                      namespace:
+                        default: istio-system
+                        description: Namespace is a namespace where Service Mesh is
+                          deployed. Defaults to "istio-system".
+                        type: string
+                    type: object
+                type: object
             required:
             - applicationsNamespace
             type: object