IAM Service and Route Addition

Signed-off-by: shirady <[email protected]>

Author: shirady

deploy/crds/noobaa.io_noobaas.yaml

@@ -25,6 +25,10 @@ spec:
       jsonPath: .status.services.serviceSts.nodePorts
       name: Sts-Endpoints
       type: string
+    - description: IAM Endpoints
+      jsonPath: .status.services.serviceIam.nodePorts
+      name: Iam-Endpoints
+      type: string
     - description: Syslog Endpoints
       jsonPath: .status.services.serviceSyslog.nodePorts
       name: Syslog-Endpoints
@@ -1756,6 +1760,12 @@ spec:
                   only from the listed subnets. This field will have no effect if DisableLoadBalancerService is set
                   to true
                 properties:
+                  iam:
+                    description: IAM is a list of subnets that will be allowed to
+                      access the Noobaa IAM service
+                    items:
+                      type: string
+                    type: array
                   s3:
                     description: S3 is a list of subnets that will be allowed to access
                       the Noobaa S3 service
@@ -2082,6 +2092,61 @@ spec:
               services:
                 description: Services reports addresses for the services
                 properties:
+                  serviceIam:
+                    description: ServiceStatus is the status info and network addresses
+                      of a service
+                    properties:
+                      externalDNS:
+                        description: ExternalDNS are external public addresses for
+                          the service
+                        items:
+                          type: string
+                        type: array
+                      externalIP:
+                        description: |-
+                          ExternalIP are external public addresses for the service
+                          LoadBalancerPorts such as AWS ELB provide public address and load balancing for the service
+                          IngressPorts are manually created public addresses for the service
+                          https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
+                          https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+                          https://kubernetes.io/docs/concepts/services-networking/ingress/
+                        items:
+                          type: string
+                        type: array
+                      internalDNS:
+                        description: InternalDNS are internal addresses of the service
+                          inside the cluster
+                        items:
+                          type: string
+                        type: array
+                      internalIP:
+                        description: |-
+                          InternalIP are internal addresses of the service inside the cluster
+                          https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+                        items:
+                          type: string
+                        type: array
+                      nodePorts:
+                        description: |-
+                          NodePorts are the most basic network available.
+                          NodePorts use the networks available on the hosts of kubernetes nodes.
+                          This generally works from within a pod, and from the internal
+                          network of the nodes, but may fail from public network.
+                          https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+                        items:
+                          type: string
+                        type: array
+                      podPorts:
+                        description: |-
+                          PodPorts are the second most basic network address.
+                          Every pod has an IP in the cluster and the pods network is a mesh
+                          so the operator running inside a pod in the cluster can use this address.
+                          Note: pod IPs are not guaranteed to persist over restarts, so should be rediscovered.
+                          Note2: when running the operator outside of the cluster, pod IP is not accessible.
+                        items:
+                          type: string
+                        type: array
+                    type: object
                   serviceMgmt:
                     description: ServiceStatus is the status info and network addresses
                       of a service

deploy/internal/deployment-endpoint.yaml

@@ -78,6 +78,7 @@ spec:
             - containerPort: 6001
             - containerPort: 6443
             - containerPort: 7443
+            - containerPort: 13443
           env:
             - name: NODE_NAME
               valueFrom:

deploy/internal/route-iam.yaml

@@ -0,0 +1,17 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: noobaa
+  name: iam
+spec:
+  port:
+    targetPort: iam-https
+  tls:
+    insecureEdgeTerminationPolicy: Allow
+    termination: reencrypt
+  to:
+    kind: Service
+    name: iam
+    weight: 100
+  wildcardPolicy: None

deploy/internal/service-iam.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: iam
+  labels:
+    app: noobaa
+    noobaa-iam-svc: "true"
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: 'noobaa-iam-serving-cert'
+    service.alpha.openshift.io/serving-cert-secret-name: 'noobaa-iam-serving-cert'
+spec:
+  type: LoadBalancer
+  selector:
+    noobaa-s3: SYSNAME
+  ports:
+    - port: 443
+      targetPort: 13443
+      name: iam-https

pkg/apis/noobaa/v1alpha1/noobaa_types.go

@@ -33,6 +33,7 @@ type AnnotationsSpec map[string]Annotations
 // +kubebuilder:resource:shortName=nb
 // +kubebuilder:printcolumn:name="S3-Endpoints",type="string",JSONPath=".status.services.serviceS3.nodePorts",description="S3 Endpoints"
 // +kubebuilder:printcolumn:name="Sts-Endpoints",type="string",JSONPath=".status.services.serviceSts.nodePorts",description="STS Endpoints"
+// +kubebuilder:printcolumn:name="Iam-Endpoints",type="string",JSONPath=".status.services.serviceIam.nodePorts",description="IAM Endpoints"
 // +kubebuilder:printcolumn:name="Syslog-Endpoints",type="string",JSONPath=".status.services.serviceSyslog.nodePorts",description="Syslog Endpoints"
 // +kubebuilder:printcolumn:name="Image",type="string",JSONPath=".status.actualImage",description="Actual Image"
 // +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",description="Phase"
@@ -314,6 +315,10 @@ type LoadBalancerSourceSubnetSpec struct {
 	// STS is a list of subnets that will be allowed to access the Noobaa STS service
 	// +optional
 	STS []string `json:"sts,omitempty"`
+
+	// IAM is a list of subnets that will be allowed to access the Noobaa IAM service
+	// +optional
+	IAM []string `json:"iam,omitempty"`
 }
 
 // SecuritySpec is security spec to include various security items such as kms
@@ -559,6 +564,7 @@ type ServicesStatus struct {
 	ServiceS3   ServiceStatus `json:"serviceS3"`
 	// +optional
 	ServiceSts    ServiceStatus `json:"serviceSts,omitempty"`
+	ServiceIam    ServiceStatus `json:"serviceIam,omitempty"`
 	ServiceSyslog ServiceStatus `json:"serviceSyslog,omitempty"`
 }
 

pkg/apis/noobaa/v1alpha1/zz_generated.deepcopy.go

@@ -1425,7 +1425,7 @@ spec:
       status: {}
 `
 
-const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "ee1ecf4ecb2fa8686e5e8de9dba25f962df79b57fd34abd482a9bfef4d4622fe"
+const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "0b124e4d763e8aecff6486d8f70491d8dfd30f35fb863746ef2fcb12bff69fbf"
 
 const File_deploy_crds_noobaa_io_noobaas_yaml = `---
 apiVersion: apiextensions.k8s.io/v1
@@ -1454,6 +1454,10 @@ spec:
       jsonPath: .status.services.serviceSts.nodePorts
       name: Sts-Endpoints
       type: string
+    - description: IAM Endpoints
+      jsonPath: .status.services.serviceIam.nodePorts
+      name: Iam-Endpoints
+      type: string
     - description: Syslog Endpoints
       jsonPath: .status.services.serviceSyslog.nodePorts
       name: Syslog-Endpoints
@@ -3185,6 +3189,12 @@ spec:
                   only from the listed subnets. This field will have no effect if DisableLoadBalancerService is set
                   to true
                 properties:
+                  iam:
+                    description: IAM is a list of subnets that will be allowed to
+                      access the Noobaa IAM service
+                    items:
+                      type: string
+                    type: array
                   s3:
                     description: S3 is a list of subnets that will be allowed to access
                       the Noobaa S3 service
@@ -3511,6 +3521,61 @@ spec:
               services:
                 description: Services reports addresses for the services
                 properties:
+                  serviceIam:
+                    description: ServiceStatus is the status info and network addresses
+                      of a service
+                    properties:
+                      externalDNS:
+                        description: ExternalDNS are external public addresses for
+                          the service
+                        items:
+                          type: string
+                        type: array
+                      externalIP:
+                        description: |-
+                          ExternalIP are external public addresses for the service
+                          LoadBalancerPorts such as AWS ELB provide public address and load balancing for the service
+                          IngressPorts are manually created public addresses for the service
+                          https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
+                          https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+                          https://kubernetes.io/docs/concepts/services-networking/ingress/
+                        items:
+                          type: string
+                        type: array
+                      internalDNS:
+                        description: InternalDNS are internal addresses of the service
+                          inside the cluster
+                        items:
+                          type: string
+                        type: array
+                      internalIP:
+                        description: |-
+                          InternalIP are internal addresses of the service inside the cluster
+                          https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+                        items:
+                          type: string
+                        type: array
+                      nodePorts:
+                        description: |-
+                          NodePorts are the most basic network available.
+                          NodePorts use the networks available on the hosts of kubernetes nodes.
+                          This generally works from within a pod, and from the internal
+                          network of the nodes, but may fail from public network.
+                          https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+                        items:
+                          type: string
+                        type: array
+                      podPorts:
+                        description: |-
+                          PodPorts are the second most basic network address.
+                          Every pod has an IP in the cluster and the pods network is a mesh
+                          so the operator running inside a pod in the cluster can use this address.
+                          Note: pod IPs are not guaranteed to persist over restarts, so should be rediscovered.
+                          Note2: when running the operator outside of the cluster, pod IP is not accessible.
+                        items:
+                          type: string
+                        type: array
+                    type: object
                   serviceMgmt:
                     description: ServiceStatus is the status info and network addresses
                       of a service
@@ -3979,7 +4044,7 @@ data:
     shared_preload_libraries = 'pg_stat_statements'
 `
 
-const Sha256_deploy_internal_deployment_endpoint_yaml = "4221668694225599735ba859f68e47a9de8ce1aca685e0acd266c80e338bbda5"
+const Sha256_deploy_internal_deployment_endpoint_yaml = "fe660e3c058907d96617e52b14d2fa66589e5e55ac7220535c86ff56c5c945a5"
 
 const File_deploy_internal_deployment_endpoint_yaml = `apiVersion: apps/v1
 kind: Deployment
@@ -4061,6 +4126,7 @@ spec:
             - containerPort: 6001
             - containerPort: 6443
             - containerPort: 7443
+            - containerPort: 13443
           env:
             - name: NODE_NAME
               valueFrom:
@@ -4833,6 +4899,27 @@ spec:
       storage: 30Gi
 `
 
+const Sha256_deploy_internal_route_iam_yaml = "adffe421b21f035fb033b0907f6fcfb4b665f0113dc89887e0b6cdc6bf09ca95"
+
+const File_deploy_internal_route_iam_yaml = `apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: noobaa
+  name: iam
+spec:
+  port:
+    targetPort: iam-https
+  tls:
+    insecureEdgeTerminationPolicy: Allow
+    termination: reencrypt
+  to:
+    kind: Service
+    name: iam
+    weight: 100
+  wildcardPolicy: None
+`
+
 const Sha256_deploy_internal_route_mgmt_yaml = "1d462d165da5a660b85900e46a11e4d1a53e1498bf9d086b4b68afdceab08394"
 
 const File_deploy_internal_route_mgmt_yaml = `apiVersion: route.openshift.io/v1
@@ -4929,6 +5016,28 @@ spec:
       name: postgres
 `
 
+const Sha256_deploy_internal_service_iam_yaml = "43625a02ee4d8282dbcc53aac62043d88a92e3ef4f27ed901463decd19e6ad4c"
+
+const File_deploy_internal_service_iam_yaml = `apiVersion: v1
+kind: Service
+metadata:
+  name: iam
+  labels:
+    app: noobaa
+    noobaa-iam-svc: "true"
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: 'noobaa-iam-serving-cert'
+    service.alpha.openshift.io/serving-cert-secret-name: 'noobaa-iam-serving-cert'
+spec:
+  type: LoadBalancer
+  selector:
+    noobaa-s3: SYSNAME
+  ports:
+    - port: 443
+      targetPort: 13443
+      name: iam-https
+`
+
 const Sha256_deploy_internal_service_mgmt_yaml = "fa5f052fb360e6893fc446a318413a6f494a8610706ae7e36ff985b3b3a5c070"
 
 const File_deploy_internal_service_mgmt_yaml = `apiVersion: v1

pkg/bundle/deploy.go

@@ -77,6 +77,15 @@ func (r *Reconciler) ReconcilePhaseCreating() error {
 			return err
 		}
 	}
+	if err := r.ReconcileObject(r.ServiceIam, r.SetDesiredServiceIam); err != nil {
+		return err
+	}
+	// reconcile noobaa-iam route only if routes are enabled
+	if !r.NooBaa.Spec.DisableRoutes {
+		if err := r.ReconcileObjectOptional(r.RouteIam, r.SetDesiredRouteIam); err != nil {
+			return err
+		}
+	}
 	// the credentials that are created by cloud-credentials-operator sometimes take time
 	// to be valid (requests sometimes returns InvalidAccessKeyId for 1-2 minutes)
 	// creating the credential request as early as possible to try and avoid it
@@ -267,6 +276,28 @@ func (r *Reconciler) SetDesiredServiceSts() error {
 	return nil
 }
 
+// SetDesiredServiceIam updates the ServiceIam as desired for reconciling
+func (r *Reconciler) SetDesiredServiceIam() error {
+	if r.NooBaa.Spec.DisableLoadBalancerService {
+		r.ServiceIam.Spec.Type = corev1.ServiceTypeClusterIP
+		r.ServiceIam.Spec.LoadBalancerSourceRanges = []string{}
+	} else {
+		// It is here in case disableLoadBalancerService is removed from the crd or changed to false
+		r.ServiceIam.Spec.Type = corev1.ServiceTypeLoadBalancer
+		r.ServiceIam.Spec.LoadBalancerSourceRanges = r.NooBaa.Spec.LoadBalancerSourceSubnets.IAM
+	}
+	r.ServiceIam.Spec.Selector["noobaa-s3"] = r.Request.Name
+	return nil
+}
+
+// SetDesiredRouteIam updates the RouteIam as desired for reconciling
+func (r *Reconciler) SetDesiredRouteIam() error {
+	if r.NooBaa.Spec.DenyHTTP {
+		r.RouteIam.Spec.TLS.InsecureEdgeTerminationPolicy = "None"
+	}
+	return nil
+}
+
 // SetDesiredServiceDBForPostgres updates the postgres service
 func (r *Reconciler) SetDesiredServiceDBForPostgres() error {
 	r.ServiceDbPg.Spec.Selector["noobaa-db"] = "postgres"

pkg/system/phase2_creating.go

@@ -41,6 +41,7 @@ func (r *Reconciler) ReconcilePhaseConnecting() error {
 
 	r.CheckServiceStatus(r.ServiceS3, r.RouteS3, &r.NooBaa.Status.Services.ServiceS3, "s3-https")
 	r.CheckServiceStatus(r.ServiceSts, r.RouteSts, &r.NooBaa.Status.Services.ServiceSts, "sts-https")
+	r.CheckServiceStatus(r.ServiceIam, r.RouteIam, &r.NooBaa.Status.Services.ServiceIam, "iam-https")
 
 	return nil