Merge branch 'main' into kafka-auth-support

operator/controller/src/main/deploy/rbac/cluster/cluster-role.yaml

@@ -47,6 +47,7 @@ rules:
       - networking.k8s.io
     resources:
       - ingresses
+      - networkpolicies
     verbs:
       - '*'
 

operator/controller/src/main/java/io/apicurio/registry/operator/ApicurioRegistry3Reconciler.java

@@ -2,53 +2,20 @@
 
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
 import io.apicurio.registry.operator.resource.LabelDiscriminators.AppDeploymentDiscriminator;
-import io.apicurio.registry.operator.resource.app.AppDeploymentResource;
-import io.apicurio.registry.operator.resource.app.AppIngressResource;
-import io.apicurio.registry.operator.resource.app.AppPodDisruptionBudgetResource;
-import io.apicurio.registry.operator.resource.app.AppServiceResource;
-import io.apicurio.registry.operator.resource.studioui.StudioUIDeploymentResource;
-import io.apicurio.registry.operator.resource.studioui.StudioUIIngressResource;
-import io.apicurio.registry.operator.resource.studioui.StudioUIPodDisruptionBudgetResource;
-import io.apicurio.registry.operator.resource.studioui.StudioUIServiceResource;
-import io.apicurio.registry.operator.resource.ui.UIDeploymentResource;
-import io.apicurio.registry.operator.resource.ui.UIIngressResource;
-import io.apicurio.registry.operator.resource.ui.UIPodDisruptionBudgetResource;
-import io.apicurio.registry.operator.resource.ui.UIServiceResource;
+import io.apicurio.registry.operator.resource.app.*;
+import io.apicurio.registry.operator.resource.studioui.*;
+import io.apicurio.registry.operator.resource.ui.*;
 import io.apicurio.registry.operator.updater.IngressCRUpdater;
 import io.apicurio.registry.operator.updater.KafkaSqlCRUpdater;
 import io.apicurio.registry.operator.updater.SqlCRUpdater;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
-import io.javaoperatorsdk.operator.api.reconciler.Cleaner;
-import io.javaoperatorsdk.operator.api.reconciler.Context;
-import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
-import io.javaoperatorsdk.operator.api.reconciler.DeleteControl;
-import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusHandler;
-import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusUpdateControl;
-import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
-import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+import io.javaoperatorsdk.operator.api.reconciler.*;
 import io.javaoperatorsdk.operator.api.reconciler.dependent.Dependent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static io.apicurio.registry.operator.resource.ActivationConditions.AppIngressActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.AppPodDisruptionBudgetActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUIDeploymentActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUIIngressActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.StudioUIPodDisruptionBudgetActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.UIIngressActivationCondition;
-import static io.apicurio.registry.operator.resource.ActivationConditions.UIPodDisruptionBudgetActivationCondition;
-import static io.apicurio.registry.operator.resource.ResourceKey.APP_DEPLOYMENT_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.APP_INGRESS_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.APP_POD_DISRUPTION_BUDGET_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.APP_SERVICE_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_DEPLOYMENT_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_INGRESS_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_POD_DISRUPTION_BUDGET_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.STUDIO_UI_SERVICE_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.UI_DEPLOYMENT_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.UI_INGRESS_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.UI_POD_DISRUPTION_BUDGET_ID;
-import static io.apicurio.registry.operator.resource.ResourceKey.UI_SERVICE_ID;
+import static io.apicurio.registry.operator.resource.ActivationConditions.*;
+import static io.apicurio.registry.operator.resource.ResourceKey.*;
 
 @ControllerConfiguration(
         dependents = {
@@ -74,6 +41,12 @@
                         dependsOn = {APP_DEPLOYMENT_ID},
                         activationCondition = AppPodDisruptionBudgetActivationCondition.class
                 ),
+                @Dependent(
+                        type = AppNetworkPolicyResource.class,
+                        name = APP_NETWORK_POLICY_ID,
+                        dependsOn = {APP_DEPLOYMENT_ID},
+                        activationCondition = AppNetworkPolicyActivationCondition.class
+                ),
                 // ===== Registry UI
                 @Dependent(
                         type = UIDeploymentResource.class,
@@ -96,6 +69,12 @@
                         dependsOn = {UI_DEPLOYMENT_ID},
                         activationCondition = UIPodDisruptionBudgetActivationCondition.class
                 ),
+                @Dependent(
+                        type = UINetworkPolicyResource.class,
+                        name = UI_NETWORK_POLICY_ID,
+                        dependsOn = {UI_DEPLOYMENT_ID},
+                        activationCondition = UINetworkPolicyActivationCondition.class
+                ),
                 // ===== Studio UI
                 @Dependent(
                         type = StudioUIDeploymentResource.class,
@@ -119,6 +98,12 @@
                         dependsOn = {STUDIO_UI_DEPLOYMENT_ID},
                         activationCondition = StudioUIPodDisruptionBudgetActivationCondition.class
                 ),
+                @Dependent(
+                        type = StudioUINetworkPolicyResource.class,
+                        name = STUDIO_UI_NETWORK_POLICY_ID,
+                        dependsOn = {STUDIO_UI_DEPLOYMENT_ID},
+                        activationCondition = StudioUINetworkPolicyActivationCondition.class
+                )
         }
 )
 // TODO: When renaming, do not forget to update application.properties (until we have a test for this).
@@ -128,9 +113,9 @@ public class ApicurioRegistry3Reconciler implements Reconciler<ApicurioRegistry3
     private static final Logger log = LoggerFactory.getLogger(ApicurioRegistry3Reconciler.class);
 
     public UpdateControl<ApicurioRegistry3> reconcile(ApicurioRegistry3 primary,
-            Context<ApicurioRegistry3> context) {
+                                                      Context<ApicurioRegistry3> context) {
 
-        log.info("Reconciling Apicurio Registry: {}", primary);
+        log.debug("Reconciling Apicurio Registry: {}", primary);
 
         // Some of the fields in the CR have been deprecated and another fields should be used instead.
         // Operator will attempt to update the CR to use the newer fields if possible.
@@ -153,7 +138,7 @@ public UpdateControl<ApicurioRegistry3> reconcile(ApicurioRegistry3 primary,
 
     @Override
     public ErrorStatusUpdateControl<ApicurioRegistry3> updateErrorStatus(ApicurioRegistry3 apicurioRegistry,
-            Context<ApicurioRegistry3> context, Exception ex) {
+                                                                         Context<ApicurioRegistry3> context, Exception ex) {
         log.error("Status error", ex);
         var statusUpdater = new StatusUpdater(apicurioRegistry);
         statusUpdater.updateWithException(ex);

operator/controller/src/main/java/io/apicurio/registry/operator/resource/ActivationConditions.java

@@ -5,18 +5,23 @@
 import io.apicurio.registry.operator.api.v1.spec.AppSpec;
 import io.apicurio.registry.operator.api.v1.spec.ComponentSpec;
 import io.apicurio.registry.operator.api.v1.spec.IngressSpec;
+import io.apicurio.registry.operator.api.v1.spec.NetworkPolicySpec;
 import io.apicurio.registry.operator.api.v1.spec.PodDisruptionSpec;
 import io.apicurio.registry.operator.api.v1.spec.StudioUiSpec;
 import io.apicurio.registry.operator.api.v1.spec.UiSpec;
 import io.apicurio.registry.operator.resource.app.AppIngressResource;
+import io.apicurio.registry.operator.resource.app.AppNetworkPolicyResource;
 import io.apicurio.registry.operator.resource.app.AppPodDisruptionBudgetResource;
 import io.apicurio.registry.operator.resource.studioui.StudioUIDeploymentResource;
 import io.apicurio.registry.operator.resource.studioui.StudioUIIngressResource;
+import io.apicurio.registry.operator.resource.studioui.StudioUINetworkPolicyResource;
 import io.apicurio.registry.operator.resource.studioui.StudioUIPodDisruptionBudgetResource;
 import io.apicurio.registry.operator.resource.ui.UIIngressResource;
+import io.apicurio.registry.operator.resource.ui.UINetworkPolicyResource;
 import io.apicurio.registry.operator.resource.ui.UIPodDisruptionBudgetResource;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
 import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
+import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 import io.javaoperatorsdk.operator.api.reconciler.Context;
 import io.javaoperatorsdk.operator.api.reconciler.dependent.DependentResource;
@@ -70,6 +75,21 @@ public boolean isMet(DependentResource<PodDisruptionBudget, ApicurioRegistry3> r
         }
     }
 
+    public static class AppNetworkPolicyActivationCondition
+            implements Condition<NetworkPolicy, ApicurioRegistry3> {
+        @Override
+        public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
+                             ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
+            Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getApp)
+                    .map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
+                    .orElse(Boolean.TRUE);
+            if (!isManaged) {
+                ((AppNetworkPolicyResource) resource).delete(primary, context);
+            }
+            return isManaged;
+        }
+    }
+
     // ===== Registry UI
 
     public static class UIIngressActivationCondition implements Condition<Ingress, ApicurioRegistry3> {
@@ -106,6 +126,21 @@ public boolean isMet(DependentResource<PodDisruptionBudget, ApicurioRegistry3> r
         }
     }
 
+    public static class UINetworkPolicyActivationCondition
+            implements Condition<NetworkPolicy, ApicurioRegistry3> {
+        @Override
+        public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
+                             ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
+            Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getUi)
+                    .map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
+                    .orElse(Boolean.TRUE);
+            if (!isManaged) {
+                ((UINetworkPolicyResource) resource).delete(primary, context);
+            }
+            return isManaged;
+        }
+    }
+
     // ===== Studio UI
 
     public static class StudioUIDeploymentActivationCondition
@@ -158,4 +193,19 @@ public boolean isMet(DependentResource<PodDisruptionBudget, ApicurioRegistry3> r
         }
     }
 
+
+    public static class StudioUINetworkPolicyActivationCondition
+            implements Condition<NetworkPolicy, ApicurioRegistry3> {
+        @Override
+        public boolean isMet(DependentResource<NetworkPolicy, ApicurioRegistry3> resource,
+                             ApicurioRegistry3 primary, Context<ApicurioRegistry3> context) {
+            Boolean isManaged = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getStudioUi)
+                    .map(ComponentSpec::getNetworkPolicy).map(NetworkPolicySpec::getEnabled)
+                    .orElse(Boolean.TRUE);
+            if (!isManaged) {
+                ((StudioUINetworkPolicyResource) resource).delete(primary, context);
+            }
+            return isManaged;
+        }
+    }
 }

operator/controller/src/main/java/io/apicurio/registry/operator/resource/LabelDiscriminators.java

@@ -4,12 +4,15 @@
 import io.fabric8.kubernetes.api.model.Service;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
 import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
+import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 import io.javaoperatorsdk.operator.api.reconciler.ResourceDiscriminator;
 
 import java.util.Map;
 
-import static io.apicurio.registry.operator.resource.ResourceFactory.*;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_STUDIO_UI;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI;
 
 public class LabelDiscriminators {
 
@@ -68,6 +71,20 @@ public AppPodDisruptionBudgetDiscriminator() {
         }
     }
 
+    public static class AppNetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {
+
+        public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();
+
+        public AppNetworkPolicyDiscriminator() {
+            // spotless:off
+            super(Map.of(
+                    "app.kubernetes.io/name", "apicurio-registry",
+                    "app.kubernetes.io/component", COMPONENT_APP
+            ));
+            // spotless:on
+        }
+    }
+
     // ===== Registry UI
 
     public static class UIDeploymentDiscriminator extends LabelDiscriminator<Deployment> {
@@ -120,6 +137,20 @@ public UiPodDisruptionBudgetDiscriminator() {
         }
     }
 
+    public static class UINetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {
+
+        public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();
+
+        public UINetworkPolicyDiscriminator() {
+            // spotless:off
+            super(Map.of(
+                    "app.kubernetes.io/name", "apicurio-registry",
+                    "app.kubernetes.io/component", COMPONENT_UI
+            ));
+            // spotless:on
+        }
+    }
+
     // ===== Studio UI
 
     public static class StudioUIDeploymentDiscriminator extends LabelDiscriminator<Deployment> {
@@ -173,4 +204,17 @@ public StudioUiPodDisruptionBudgetDiscriminator() {
         }
     }
 
+    public static class StudioUINetworkPolicyDiscriminator extends LabelDiscriminator<NetworkPolicy> {
+
+        public static final ResourceDiscriminator<NetworkPolicy, ApicurioRegistry3> INSTANCE = new AppNetworkPolicyDiscriminator();
+
+        public StudioUINetworkPolicyDiscriminator() {
+            // spotless:off
+            super(Map.of(
+                    "app.kubernetes.io/name", "apicurio-registry",
+                    "app.kubernetes.io/component", COMPONENT_STUDIO_UI
+            ));
+            // spotless:on
+        }
+    }
 }

operator/controller/src/main/java/io/apicurio/registry/operator/resource/ResourceFactory.java

@@ -12,6 +12,7 @@
 import io.fabric8.kubernetes.api.model.apps.Deployment;
 import io.fabric8.kubernetes.api.model.apps.DeploymentSpec;
 import io.fabric8.kubernetes.api.model.networking.v1.Ingress;
+import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 
 import java.nio.charset.Charset;
@@ -39,6 +40,7 @@ public class ResourceFactory {
     public static final String RESOURCE_TYPE_SERVICE = "service";
     public static final String RESOURCE_TYPE_INGRESS = "ingress";
     public static final String RESOURCE_TYPE_POD_DISRUPTION_BUDGET = "poddisruptionbudget";
+    public static final String RESOURCE_TYPE_NETWORK_POLICY = "networkpolicy";
 
     public Deployment getDefaultAppDeployment(ApicurioRegistry3 primary) {
         var r = initDefaultDeployment(primary, COMPONENT_APP,
@@ -258,6 +260,30 @@ private <T extends HasMetadata> T getDefaultResource(ApicurioRegistry3 primary,
         return r;
     }
 
+    public NetworkPolicy getDefaultAppNetworkPolicy(ApicurioRegistry3 primary) {
+        var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
+                COMPONENT_APP);
+        networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
+                primary.getMetadata().getName());
+        return networkPolicy;
+    }
+
+    public NetworkPolicy getDefaultUINetworkPolicy(ApicurioRegistry3 primary) {
+        var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
+                COMPONENT_UI);
+        networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
+                primary.getMetadata().getName());
+        return networkPolicy;
+    }
+
+    public NetworkPolicy getDefaultStudioUINetworkPolicy(ApicurioRegistry3 primary) {
+        var networkPolicy = getDefaultResource(primary, NetworkPolicy.class, RESOURCE_TYPE_NETWORK_POLICY,
+                COMPONENT_STUDIO_UI);
+        networkPolicy.getSpec().getPodSelector().getMatchLabels().put("app.kubernetes.io/instance",
+                primary.getMetadata().getName());
+        return networkPolicy;
+    }
+
     private void addDefaultLabels(Map<String, String> labels, ApicurioRegistry3 primary, String component) {
         labels.putAll(Map.of(
                 "app", primary.getMetadata().getName(),