fix(config): loads authorization from mounted configmap

config/manager/manager.yaml

@@ -18,7 +18,7 @@ spec:
       volumes:
         - configMap:
             name: platform-capabilities
-          name: auth-capabilities
+          name: platform-capabilities
       containers:
         - name: manager
           image: controller:latest
@@ -36,7 +36,7 @@ spec:
               protocol: TCP
           env:
             - name: CONFIG_CAPABILITIES
-              value: /opt/config/capabilities
+              value: /opt/config/platform-capabilities
             - name: AUTHORINO_LABEL
               valueFrom:
                 configMapKeyRef:
@@ -56,8 +56,8 @@ spec:
                   key: AUTH_PROVIDER
                   optional: true
           volumeMounts:
-            - mountPath: /opt/config/
-              name: auth-capabilities
+            - mountPath: /opt/config/platform-capabilities
+              name: platform-capabilities
           livenessProbe:
             httpGet:
               path: /healthz

controllers/authorization/authorization_controller.go

@@ -52,7 +52,7 @@ func (r *PlatformAuthorizationReconciler) Reconcile(ctx context.Context, req ctr
 	reconcilers := []reconcileAuthFunc{r.reconcileAuthConfig, r.reconcileAuthPolicy, r.reconcilePeerAuthentication}
 
 	sourceRes := &unstructured.Unstructured{}
-	sourceRes.SetGroupVersionKind(r.authComponent.CustomResourceType)
+	sourceRes.SetGroupVersionKind(r.authComponent.CustomResourceType.GroupVersionKind)
 
 	if err := r.Client.Get(ctx, req.NamespacedName, sourceRes); err != nil {
 		if k8serr.IsNotFound(err) {

controllers/authorization/authorization_suite_test.go

@@ -34,7 +34,7 @@ var testScheme = runtime.NewScheme()
 
 func TestController(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Controller & Webhook Suite")
+	RunSpecs(t, "Reconcilers suite")
 }
 
 var _ = SynchronizedBeforeSuite(func(ctx context.Context) {
@@ -83,10 +83,13 @@ var _ = SynchronizedBeforeSuite(func(ctx context.Context) {
 		cli,
 		ctrl.Log.WithName("controllers").WithName("platform"),
 		spi.AuthorizationComponent{
-			CustomResourceType: schema.GroupVersionKind{Version: "v1", Kind: "service"},
-			WorkloadSelector:   map[string]string{},
-			Ports:              []string{},
-			HostPaths:          []string{"status.url"},
+			CustomResourceType: spi.ResourceSchema{
+				GroupVersionKind: schema.GroupVersionKind{Version: "v1", Kind: "service"},
+				Resources:        "services",
+			},
+			WorkloadSelector: map[string]string{},
+			Ports:            []string{},
+			HostPaths:        []string{"status.url"},
 		},
 	).SetupWithManager(mgr)
 	Expect(err).ToNot(HaveOccurred())

main.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/opendatahub-io/odh-platform/controllers/authorization"
 	"github.com/opendatahub-io/odh-platform/pkg/env"
-	"github.com/opendatahub-io/odh-platform/pkg/resource"
 	pschema "github.com/opendatahub-io/odh-platform/pkg/schema"
+	"github.com/opendatahub-io/odh-platform/pkg/spi"
 	"github.com/opendatahub-io/odh-platform/version"
 	"k8s.io/apimachinery/pkg/runtime"
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) to ensure that exec-entrypoint and run can make use of them.
@@ -63,13 +63,13 @@ func main() {
 		WithName("odh-platform")
 	ctrlLog.Info("creating controller instance", "version", version.Version, "commit", version.Commit, "build-time", version.BuildTime)
 
-	components, err := resource.LoadConfig(env.GetConfigFile())
-	if err != nil {
-		setupLog.Error(err, "unable to load config from "+env.GetConfigFile())
+	authorizationComponents, errLoad := spi.LoadConfig(spi.AuthorizationComponent{}, env.GetConfigFile())
+	if errLoad != nil {
+		setupLog.Error(errLoad, "unable to load config from "+env.GetConfigFile())
 		os.Exit(1)
 	}
 
-	for _, component := range components {
+	for _, component := range authorizationComponents {
 		if err = authorization.NewPlatformAuthorizationReconciler(mgr.GetClient(), ctrlLog, component).
 			SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "odh-platform-"+component.CustomResourceType.Kind)

pkg/env/env_config.go

@@ -40,7 +40,7 @@ func GetAuthAudience() []string {
 }
 
 func GetConfigFile() string {
-	return getEnvOr(ConfigCapabilities, "/tmp/capabilities")
+	return getEnvOr(ConfigCapabilities, "/tmp/platform-capabilities")
 }
 
 func getEnvOr(key, defaultValue string) string {

pkg/resource/authconfig_test.go

@@ -8,12 +8,12 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-var _ = Describe("Authconfig functions", Label(labels.Unit), func() {
+var _ = Describe("AuthConfig functions", Label(labels.Unit), func() {
 
-	When("Host extractor", func() {
-
-		It("should extract host from unstrucured via paths", func() {
+	Context("Host extraction", func() {
 
+		It("should extract host from unstructured via paths", func() {
+			// given
 			extractor := resource.NewExpressionHostExtractor([]string{"status.url"})
 			target := unstructured.Unstructured{
 				Object: map[string]interface{}{
@@ -23,7 +23,11 @@ var _ = Describe("Authconfig functions", Label(labels.Unit), func() {
 				},
 			}
 
-			Expect(extractor.Extract(&target)).To(Equal([]string{"test.com"}))
+			// when
+			hosts := extractor.Extract(&target)
+
+			// then
+			Expect(hosts).To(HaveExactElements("test.com"))
 		})
 
 	})

pkg/spi/config.go

@@ -0,0 +1,20 @@
+package spi
+
+import (
+	"fmt"
+)
+
+// LoadableConfig is an interface that defines the strategy to load a configuration from a given path.
+type LoadableConfig[T any] interface {
+	Load(configPath string) ([]T, error)
+}
+
+// LoadConfig loads the configuration from the given path using the strategy defined by the LoadableConfig implementation.
+func LoadConfig[T LoadableConfig[T]](instance T, configPath string) ([]T, error) {
+	defs, err := instance.Load(configPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed loading config for: %w", err)
+	}
+
+	return defs, nil
+}

pkg/spi/config_test.go

@@ -0,0 +1,26 @@
+package spi_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
+	"github.com/opendatahub-io/odh-platform/pkg/spi"
+	"github.com/opendatahub-io/odh-platform/test/labels"
+)
+
+var _ = Describe("Loading capabilities", Label(labels.Unit), func() {
+
+	Context("loading capabilities from files", func() {
+
+		It("should load authorized resources", func() {
+			authorizationComponents, err := spi.LoadConfig(spi.AuthorizationComponent{}, "../../test/data/config")
+			Expect(err).To(Succeed())
+			Expect(authorizationComponents).To(ContainElement(
+				MatchFields(IgnoreExtras, Fields{
+					"Ports":     ContainElement("9192"),
+					"HostPaths": ContainElement("status.url"),
+				})))
+		})
+	})
+
+})

pkg/spi/suite_test.go

@@ -0,0 +1,13 @@
+package spi_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestSPI(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "SPI handling")
+}

pkg/spi/types.go

@@ -2,6 +2,10 @@ package spi
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
 
 	authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -17,10 +21,33 @@ const (
 )
 
 type AuthorizationComponent struct {
-	CustomResourceType schema.GroupVersionKind `json:"gvk"`
-	WorkloadSelector   map[string]string       `json:"workloadSelector"` // label key value
-	Ports              []string                `json:"ports"`            // port numbers
-	HostPaths          []string                `json:"hostPaths"`        // json path expression e.g. status.url
+	CustomResourceType ResourceSchema    `json:"schema"`
+	WorkloadSelector   map[string]string `json:"workloadSelector"` // label key value
+	Ports              []string          `json:"ports"`            // port numbers
+	HostPaths          []string          `json:"hostPaths"`        // json path expression e.g. status.url
+}
+
+func (a AuthorizationComponent) Load(configPath string) ([]AuthorizationComponent, error) {
+	content, err := os.ReadFile(configPath + string(filepath.Separator) + "authorization")
+	if err != nil {
+		return []AuthorizationComponent{}, fmt.Errorf("could not read config file [%s]: %w", configPath, err)
+	}
+
+	var authz []AuthorizationComponent
+
+	err = json.Unmarshal(content, &authz)
+	if err != nil {
+		return []AuthorizationComponent{}, fmt.Errorf("could not parse json content of [%s]: %w", configPath, err)
+	}
+
+	return authz, nil
+}
+
+type ResourceSchema struct {
+	// GroupVersionKind specifies the group, version, and kind of the resource.
+	schema.GroupVersionKind `json:"gvk,omitempty"`
+	// Resources is the type of resource being protected, e.g., "pods", "services".
+	Resources string `json:"resources,omitempty"`
 }
 
 // HostExtractor attempts to extract Hosts from the given resource.

test/data/config/authorization

@@ -0,0 +1,21 @@
+[
+    {
+        "schema": {
+            "gvk": {
+                "kind": "service",
+                "version": "v1",
+                "group": "core"
+            },
+            "resources": "modelregistries"
+        },
+        "workloadSelector": {
+            "component": "predicator"
+        },
+        "ports": [
+            "9192"
+        ],
+        "hostPaths": [
+            "status.url"
+        ]
+    }
+]