fix: use groups and username from tokenreview auth step in authconfig…

…, fixes RHOAIENG-16025 (#164)

* fix: use groups and username from tokenreview auth step in authconfig, fixes RHOAIENG-16025

Signed-off-by: Dhiraj Bokde <[email protected]>

* feat: update operator to use Authorino api v1beta3, switch to using unstructured type for AuthConfig to avoid authorino golang dependecy issues

Signed-off-by: Dhiraj Bokde <[email protected]>

---------

Signed-off-by: Dhiraj Bokde <[email protected]>

Makefile

@@ -174,7 +174,7 @@ GOVULNCHECK_VERSION ?= v1.1.3
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.1.1
-CONTROLLER_TOOLS_VERSION ?= v0.13.0
+CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.

cmd/main.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"flag"
-	authorino "github.com/kuadrant/authorino/api/v1beta2"
 	"github.com/opendatahub-io/model-registry-operator/internal/controller/config"
 	networking "istio.io/client-go/pkg/apis/networking/v1beta1"
 	security "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -58,8 +57,6 @@ func init() {
 	// openshift scheme
 	utilruntime.Must(oapi.Install(scheme))
 	utilruntime.Must(oapiconfig.Install(scheme))
-	// authorino scheme
-	utilruntime.Must(authorino.AddToScheme(scheme))
 	// istio security scheme
 	utilruntime.Must(security.AddToScheme(scheme))
 	// istio networking scheme

go.mod

@@ -4,8 +4,8 @@ go 1.21
 
 require (
 	github.com/banzaicloud/k8s-objectmatcher v1.8.0
+	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/go-logr/logr v1.4.1
-	github.com/kuadrant/authorino v0.17.1
 	github.com/onsi/ginkgo/v2 v2.16.0
 	github.com/onsi/gomega v1.31.1
 	github.com/openshift/api v0.0.0-20231116201359-a5824a0c15b6
@@ -31,7 +31,6 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -78,9 +77,6 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tidwall/gjson v1.14.0 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.10 // indirect

go.sum

@@ -99,7 +99,6 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -149,8 +148,8 @@ github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
-github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
@@ -187,8 +186,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kuadrant/authorino v0.17.1 h1:NXcYLDGSpokDE5VwzqWuRI07ChUsRNVKJB85uzOf35k=
-github.com/kuadrant/authorino v0.17.1/go.mod h1:al71fN0FX6c9Orrhk9GR4CtjtC+CD/lUHJCs7drlRNM=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -278,12 +275,6 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/tidwall/gjson v1.14.0 h1:6aeJ0bzojgWLa82gDQHcx3S0Lr/O51I9bJ5nv6JFx5w=
-github.com/tidwall/gjson v1.14.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
-github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
-github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
@@ -473,8 +464,6 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 istio.io/api v1.20.3-0.20240116015448-5563f7225778 h1:F+6gDkT2g1uPIVhu8HIykfKJrdQxJdCRNIvlsHRHXD4=

internal/controller/config/templates/istio/authconfig.yaml.tmpl

@@ -1,4 +1,4 @@
-apiVersion: authorino.kuadrant.io/v1beta2
+apiVersion: authorino.kuadrant.io/v1beta3
 kind: AuthConfig
 metadata:
   name: {{.Name}}
@@ -35,9 +35,9 @@ spec:
     k8s-rbac:
       kubernetesSubjectAccessReview:
         user:
-          selector: auth.identity.metadata.annotations.userid
-        groups:
-          - {{.Name}}-users
+          selector: auth.identity.user.username
+        authorizationGroups:
+          selector: auth.identity.user.groups
         resourceAttributes:
           verb:
             value: get

internal/controller/modelregistry_controller.go

@@ -21,13 +21,13 @@ import (
 	errors2 "errors"
 	"fmt"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes"
 	"strings"
 	"text/template"
 
 	"github.com/banzaicloud/k8s-objectmatcher/patch"
 	"github.com/go-logr/logr"
-	authorino "github.com/kuadrant/authorino/api/v1beta2"
 	modelregistryv1alpha1 "github.com/opendatahub-io/model-registry-operator/api/v1alpha1"
 	"github.com/opendatahub-io/model-registry-operator/internal/controller/config"
 	routev1 "github.com/openshift/api/route/v1"
@@ -259,7 +259,7 @@ func (r *ModelRegistryReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	}
 	if r.HasIstio {
 		if r.CreateAuthResources {
-			builder = builder.Owns(&authorino.AuthConfig{}).
+			builder = builder.Owns(CreateAuthConfig()).
 				Owns(&security.AuthorizationPolicy{})
 		}
 		builder = builder.Owns(&networking.DestinationRule{}).
@@ -481,8 +481,10 @@ func (r *ModelRegistryReconciler) deleteIstioConfig(ctx context.Context, params
 			return ResourceUpdated, err
 		}
 
-		authConfig := authorino.AuthConfig{ObjectMeta: objectMeta}
-		if err = r.Client.Delete(ctx, &authConfig); client.IgnoreNotFound(err) != nil {
+		authConfig := CreateAuthConfig()
+		authConfig.SetName(params.Name)
+		authConfig.SetNamespace(params.Namespace)
+		if err = r.Client.Delete(ctx, authConfig); client.IgnoreNotFound(err) != nil {
 			return ResourceUpdated, err
 		}
 	}
@@ -623,25 +625,30 @@ func (r *ModelRegistryReconciler) createOrUpdateAuthConfig(ctx context.Context,
 	}
 
 	result = ResourceUnchanged
-	var authConfig authorino.AuthConfig
-	if err = r.Apply(params, templateName, &authConfig); err != nil {
+	authConfig := CreateAuthConfig()
+	if err = r.Apply(params, templateName, authConfig); err != nil {
 		return result, err
 	}
-	if err = ctrl.SetControllerReference(registry, &authConfig, r.Scheme); err != nil {
+	if err = ctrl.SetControllerReference(registry, authConfig, r.Scheme); err != nil {
 		return result, err
 	}
 
 	// NOTE: AuthConfig CRD uses maps, which is not supported in k8s 3-way merge patch
 	// use an Unstructured current object to force it to use a json merge patch instead
-	current := unstructured.Unstructured{}
-	current.SetGroupVersionKind(authConfig.GroupVersionKind())
-	result, err = r.createOrUpdate(ctx, &current, &authConfig)
+	current := CreateAuthConfig()
+	result, err = r.createOrUpdate(ctx, current, authConfig)
 	if err != nil {
 		return result, err
 	}
 	return result, nil
 }
 
+func CreateAuthConfig() *unstructured.Unstructured {
+	authConfig := unstructured.Unstructured{}
+	authConfig.SetGroupVersionKind(schema.GroupVersionKind{Group: "authorino.kuadrant.io", Version: "v1beta3", Kind: "AuthConfig"})
+	return &authConfig
+}
+
 func (r *ModelRegistryReconciler) createOrUpdateAuthorizationPolicy(ctx context.Context, params *ModelRegistryParams,
 	registry *modelregistryv1alpha1.ModelRegistry, templateName string) (result OperationResult, err error) {
 	result = ResourceUnchanged

internal/controller/modelregistry_controller_status.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"github.com/evanphx/json-patch/v5"
 	"github.com/go-logr/logr"
-	authorino "github.com/kuadrant/authorino/api/v1beta2"
 	modelregistryv1alpha1 "github.com/opendatahub-io/model-registry-operator/api/v1alpha1"
 	routev1 "github.com/openshift/api/route/v1"
 	"istio.io/client-go/pkg/apis/networking/v1beta1"
@@ -31,6 +30,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/json"
 	"regexp"
@@ -417,7 +417,7 @@ func (r *ModelRegistryReconciler) CheckDeploymentPods(ctx context.Context, name
 }
 
 func (r *ModelRegistryReconciler) CheckAuthConfigCondition(ctx context.Context, name types.NamespacedName, log logr.Logger, message string, available bool, reason string) (string, bool, string) {
-	authConfig := &authorino.AuthConfig{}
+	authConfig := CreateAuthConfig()
 	if err := r.Get(ctx, name, authConfig); err != nil {
 		log.Error(err, "Failed to get model registry Istio Authorino AuthConfig", "name", name)
 		message = fmt.Sprintf("Failed to find AuthConfig: %s", err.Error())
@@ -426,17 +426,26 @@ func (r *ModelRegistryReconciler) CheckAuthConfigCondition(ctx context.Context,
 
 	// check authconfig Ready condition
 	if available {
-		for _, c := range authConfig.Status.Conditions {
-			if c.Type == authorino.StatusConditionReady {
-				available = c.Status == corev1.ConditionTrue
-				if available {
-					reason = ReasonResourcesAvailable
-					message = "Istio resources are available"
-				} else {
-					reason = ReasonResourcesUnavailable
-					message = fmt.Sprintf("Istio AuthConfig is not ready: {reason: %s, message: %s}", c.Reason, c.Message)
+		conditions, _, _ := unstructured.NestedSlice(authConfig.Object, "status", "conditions")
+		for _, c := range conditions {
+			switch con := c.(type) {
+			case map[string]interface{}:
+
+				condType, _, _ := unstructured.NestedString(con, "type")
+				if condType == "Ready" {
+					status, _, _ := unstructured.NestedString(con, "status")
+					available = status == "True"
+					if available {
+						reason = ReasonResourcesAvailable
+						message = "Istio resources are available"
+					} else {
+						reason = ReasonResourcesUnavailable
+						condReason, _, _ := unstructured.NestedString(con, "reason")
+						condMessage, _, _ := unstructured.NestedString(con, "message")
+						message = fmt.Sprintf("Istio AuthConfig is not ready: {reason: %s, message: %s}", condReason, condMessage)
+					}
+					break
 				}
-				break
 			}
 		}
 	}