Openshift routes support (Kuadrant#118)

* Add openshift route api

initial route controller impl

* openshift route controller

* openshift route controller based on sidecar

* openshift route doc fix

* remove code commented out

* remove unused code

* comment method as not thread-safe

README.md

@@ -9,6 +9,7 @@
 * [Overview](#overview)
 * [CustomResourceDefinitions](#customresourcedefinitions)
 * [Getting started](#getting-started)
+* [Openshift Routes](/doc/openshift-routes.md)
 * [Contributing](#contributing)
 * [Licensing](#licensing)
 

config/deploy/manifests.yaml

@@ -333,6 +333,40 @@ rules:
   - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: kuadrant
+  name: kuadrant-manager-role
+  namespace: kuadrant-system
+rules:
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/custom-host
+  verbs:
+  - create
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null

config/rbac/role.yaml

@@ -96,3 +96,36 @@ rules:
   - patch
   - update
   - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: manager-role
+  namespace: placeholder
+rules:
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/custom-host
+  verbs:
+  - create
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/status
+  verbs:
+  - get

controllers/apim/httproute_controller.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
-	"github.com/kuadrant/kuadrant-controller/pkg/log"
-	"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
 	securityv1beta1 "istio.io/api/security/v1beta1"
 	istiosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -16,6 +14,10 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	gatewayapi_v1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	"github.com/kuadrant/kuadrant-controller/pkg/log"
+	"github.com/kuadrant/kuadrant-controller/pkg/mappers"
+	"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
 )
 
 const HTTPRouteNamePrefix = "hr"
@@ -43,7 +45,7 @@ func (r *HTTPRouteReconciler) Reconcile(eventCtx context.Context, req ctrl.Reque
 
 	// TODO(rahulanand16nov): handle HTTPRoute deletion for AuthPolicy
 	// check if this httproute has to be protected or not.
-	_, present := httproute.GetAnnotations()[KuadrantAuthProviderAnnotation]
+	_, present := httproute.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 	if !present {
 		for _, parentRef := range httproute.Spec.ParentRefs {
 			gwNamespace := httproute.Namespace // consider gateway local if namespace is not given
@@ -88,7 +90,7 @@ func (r *HTTPRouteReconciler) reconcileAuthPolicy(ctx context.Context, logger lo
 	logger.Info("Reconciling AuthorizationPolicy")
 
 	// annotation presence is already checked.
-	providerName := hr.GetAnnotations()[KuadrantAuthProviderAnnotation]
+	providerName := hr.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 
 	// pre-convert hostnames to string slice
 	hosts := []string{}

controllers/apim/ratelimitpolicy_mapper.go

@@ -4,12 +4,14 @@ import (
 	"context"
 
 	"github.com/go-logr/logr"
-	apimv1alpha1 "github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	apimv1alpha1 "github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1"
+	"github.com/kuadrant/kuadrant-controller/pkg/mappers"
 )
 
 const (
@@ -26,7 +28,7 @@ const (
 func routingPredicate(m *rateLimitPolicyMapper) predicate.Predicate {
 	return predicate.Funcs{
 		CreateFunc: func(e event.CreateEvent) bool {
-			if _, toRateLimit := e.Object.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]; toRateLimit {
+			if _, toRateLimit := e.Object.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]; toRateLimit {
 				if err := m.SignalCreate(e.Object); err != nil {
 					m.Logger.Error(err, "failed to signal create event to referenced RateLimitPolicy")
 					// lets still try for auth annotation
@@ -35,32 +37,32 @@ func routingPredicate(m *rateLimitPolicyMapper) predicate.Predicate {
 
 			// only create reconcile request for routing objects' controllers when auth
 			// annotation is present.
-			_, toProtect := e.Object.GetAnnotations()[KuadrantAuthProviderAnnotation]
+			_, toProtect := e.Object.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 			return toProtect
 		},
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			_, toRateLimitOld := e.ObjectOld.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
-			_, toRateLimitNew := e.ObjectNew.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
+			_, toRateLimitOld := e.ObjectOld.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
+			_, toRateLimitNew := e.ObjectNew.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
 			if toRateLimitNew || toRateLimitOld {
 				if err := m.SignalUpdate(e.ObjectOld, e.ObjectNew); err != nil {
 					m.Logger.Error(err, "failed to signal update event to referenced RateLimitPolicy")
 				}
 			}
 
-			_, toProtectOld := e.ObjectOld.GetAnnotations()[KuadrantAuthProviderAnnotation]
-			_, toProtectNew := e.ObjectNew.GetAnnotations()[KuadrantAuthProviderAnnotation]
+			_, toProtectOld := e.ObjectOld.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
+			_, toProtectNew := e.ObjectNew.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 			return toProtectOld || toProtectNew
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
 			// If the object had the Kuadrant label, we need to handle its deletion
-			_, toRateLimit := e.Object.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
+			_, toRateLimit := e.Object.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
 			if toRateLimit {
 				if err := m.SignalDelete(e.Object); err != nil {
 					m.Logger.Error(err, "failed to signal delete event to referenced RateLimitPolicy")
 				}
 			}
 
-			_, toProtect := e.Object.GetAnnotations()[KuadrantAuthProviderAnnotation]
+			_, toProtect := e.Object.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 			return toProtect
 		},
 	}
@@ -78,7 +80,7 @@ func (m *rateLimitPolicyMapper) SignalCreate(obj client.Object) error {
 	if obj.GetObjectKind().GroupVersionKind().Kind == "HTTPRoute" {
 		addAnnotation = KuadrantAddHRAnnotation
 	}
-	rlpName := obj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
+	rlpName := obj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
 	m.Logger.Info("Signaling create event to RateLimitPolicy", "RateLimitPolicy", rlpName)
 	rlpKey := types.NamespacedName{
 		Name:      rlpName,
@@ -105,7 +107,7 @@ func (m *rateLimitPolicyMapper) SignalDelete(obj client.Object) error {
 	if obj.GetObjectKind().GroupVersionKind().Kind == "HTTPRoute" {
 		deleteAnnotation = KuadrantAddHRAnnotation
 	}
-	rlpName := obj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
+	rlpName := obj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
 	m.Logger.Info("Signaling delete event to RateLimitPolicy", "RateLimitPolicy", rlpName)
 	rlpKey := types.NamespacedName{
 		Name:      rlpName,
@@ -130,8 +132,8 @@ func (m *rateLimitPolicyMapper) SignalDelete(obj client.Object) error {
 // SignalUpdate is used when either old or new object had/has the ratelimit annotaiton
 func (m *rateLimitPolicyMapper) SignalUpdate(oldObj, newObj client.Object) error {
 	m.Logger.Info("Signaling update event to RateLimitPolicy")
-	oldRlpName, toRateLimitOld := oldObj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
-	newRlpName, toRateLimitNew := newObj.GetAnnotations()[KuadrantRateLimitPolicyAnnotation]
+	oldRlpName, toRateLimitOld := oldObj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
+	newRlpName, toRateLimitNew := newObj.GetAnnotations()[mappers.KuadrantRateLimitPolicyAnnotation]
 
 	// case when rlp name is added (same as create event)
 	if !toRateLimitOld && toRateLimitNew {

controllers/apim/utils.go

@@ -11,11 +11,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const (
-	KuadrantAuthProviderAnnotation    = "kuadrant.io/auth-provider"
-	KuadrantRateLimitPolicyAnnotation = "kuadrant.io/ratelimitpolicy"
-)
-
 // gatewayLabels fetches labels of an Istio gateway identified using the given ObjectKey.
 func gatewayLabels(ctx context.Context, client client.Client, gwKey client.ObjectKey) map[string]string {
 	gateway := &istio.Gateway{}

controllers/apim/virtualservice_controller.go

@@ -19,6 +19,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/kuadrant/kuadrant-controller/pkg/common"
 	"github.com/kuadrant/kuadrant-controller/pkg/log"
+	"github.com/kuadrant/kuadrant-controller/pkg/mappers"
 	"github.com/kuadrant/kuadrant-controller/pkg/reconcilers"
 )
 
@@ -48,7 +49,7 @@ func (r *VirtualServiceReconciler) Reconcile(eventCtx context.Context, req ctrl.
 
 	// TODO(rahulanand16nov): handle VirtualService deletion for AuthPolicy
 	// check if this virtualservice is to be protected or not.
-	_, present := virtualService.GetAnnotations()[KuadrantAuthProviderAnnotation]
+	_, present := virtualService.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 	if !present {
 		for _, gateway := range virtualService.Spec.Gateways {
 			gwKey := common.NamespacedNameToObjectKey(gateway, virtualService.Namespace)
@@ -78,7 +79,7 @@ func (r *VirtualServiceReconciler) reconcileAuthPolicy(ctx context.Context, logg
 	logger.Info("Reconciling AuthorizationPolicy")
 
 	// annotation presence is already checked.
-	providerName := vs.GetAnnotations()[KuadrantAuthProviderAnnotation]
+	providerName := vs.GetAnnotations()[mappers.KuadrantAuthProviderAnnotation]
 
 	// TODO(rahulanand16nov): update following to match HTTPRoute controller
 	// fill out the rules