diff --git a/README.md b/README.md index a76ae780..33627e1f 100644 --- a/README.md +++ b/README.md @@ -123,6 +123,7 @@ the state of the Kubernetes Deployment and associated resources, based on the st | clusterWide | Boolean | Sets the Authorino instance's [watching scope](https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md#cluster-wide-vs-namespaced-instances) – cluster-wide or namespaced. | Default: `true` (cluster-wide) | | authConfigLabelSelectors | String | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `AuthConfig`-related reconciliation events. | Default: empty (all AuthConfigs are watched) | | secretLabelSelectors | String | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `Secret`-related reconciliation events (API key and mTLS authentication methods). | Default: `authorino.kuadrant.io/managed-by=authorino` | +| supersedingHostSubsets | Boolean | Enable/disable allowing AuthConfigs to supersede strict subsets of hosts already taken. | Default: `false` | | replicas | Integer | Number of replicas desired for the Authorino instance. Values greater than 1 enable leader election in the Authorino service, where the leader updates the statuses of the `AuthConfig` CRs). | Default: 1 | | evaluatorCacheSize | Integer | Cache size (in megabytes) of each Authorino evaluator (when enabled in an [`AuthConfig`](https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-caching-cache)). | Default: 1 | | image | String | Authorino image to be deployed (for dev/testing purpose only). | Default: `quay.io/kuadrant/authorino:latest` | diff --git a/api/v1beta1/authorino_types.go b/api/v1beta1/authorino_types.go index 530177cb..03cec467 100644 --- a/api/v1beta1/authorino_types.go +++ b/api/v1beta1/authorino_types.go @@ -71,6 +71,7 @@ type AuthorinoSpec struct { OIDCServer OIDCServer `json:"oidcServer"` AuthConfigLabelSelectors string `json:"authConfigLabelSelectors,omitempty"` SecretLabelSelectors string `json:"secretLabelSelectors,omitempty"` + SupersedingHostSubsets bool `json:"supersedingHostSubsets,omitempty"` EvaluatorCacheSize *int `json:"evaluatorCacheSize,omitempty"` Tracing Tracing `json:"tracing,omitempty"` Metrics Metrics `json:"metrics,omitempty"` diff --git a/bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml b/bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml index 38221023..05a30131 100644 --- a/bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml +++ b/bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml @@ -136,6 +136,8 @@ spec: type: integer secretLabelSelectors: type: string + supersedingHostSubsets: + type: boolean tracing: properties: endpoint: diff --git a/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml b/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml index c270669c..9d7c7c07 100644 --- a/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml +++ b/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml @@ -138,6 +138,8 @@ spec: type: integer secretLabelSelectors: type: string + supersedingHostSubsets: + type: boolean tracing: properties: endpoint: diff --git a/config/deploy/manifests.yaml b/config/deploy/manifests.yaml index 18c400e4..9d970e6d 100644 --- a/config/deploy/manifests.yaml +++ b/config/deploy/manifests.yaml @@ -5537,6 +5537,8 @@ spec: type: integer secretLabelSelectors: type: string + supersedingHostSubsets: + type: boolean tracing: properties: endpoint: diff --git a/config/install/manifests.yaml b/config/install/manifests.yaml index ab3daa52..8b5de6f5 100644 --- a/config/install/manifests.yaml +++ b/config/install/manifests.yaml @@ -136,6 +136,8 @@ spec: type: integer secretLabelSelectors: type: string + supersedingHostSubsets: + type: boolean tracing: properties: endpoint: diff --git a/controllers/authorino_controller.go b/controllers/authorino_controller.go index e237b4f2..dad555a1 100644 --- a/controllers/authorino_controller.go +++ b/controllers/authorino_controller.go @@ -324,6 +324,11 @@ func (r *AuthorinoReconciler) buildAuthorinoArgs(authorino *api.Authorino) []str args = append(args, fmt.Sprintf("--%s=%s", flagWatchedSecretLabelSelector, selectors)) } + // allow-superseding-host-subsets + if authorino.Spec.SupersedingHostSubsets { + args = append(args, fmt.Sprintf("--%s", flagSupersedingHostSubsets)) + } + // log-level if logLevel := authorino.Spec.LogLevel; logLevel != "" { args = append(args, fmt.Sprintf("--%s=%s", flagLogLevel, logLevel)) diff --git a/controllers/authorino_controller_test.go b/controllers/authorino_controller_test.go index 7c471a55..772d06a1 100644 --- a/controllers/authorino_controller_test.go +++ b/controllers/authorino_controller_test.go @@ -326,6 +326,8 @@ func checkAuthorinoArgs(authorinoInstance *api.Authorino, args []string) { Expect(value).Should(Equal(authorinoInstance.Spec.AuthConfigLabelSelectors)) case flagWatchedSecretLabelSelector: Expect(value).Should(Equal(authorinoInstance.Spec.SecretLabelSelectors)) + case flagSupersedingHostSubsets: + Expect(authorinoInstance.Spec.SupersedingHostSubsets).Should(BeTrue()) case flagLogLevel: Expect(value).Should(Equal(authorinoInstance.Spec.LogLevel)) case flagLogMode: diff --git a/controllers/constants.go b/controllers/constants.go index 39fb92d9..020e5b96 100644 --- a/controllers/constants.go +++ b/controllers/constants.go @@ -33,6 +33,7 @@ const ( flagWatchNamespace string = "watch-namespace" flagWatchedAuthConfigLabelSelector string = "auth-config-label-selector" flagWatchedSecretLabelSelector string = "secret-label-selector" + flagSupersedingHostSubsets string = "allow-superseding-host-subsets" flagLogLevel string = "log-level" flagLogMode string = "log-mode" flagTimeout string = "timeout"