Support specifying Service type

CHANGELOG.md

@@ -10,6 +10,11 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- [BREAKING] Support specifying Service type.
+  This enables us to later switch non-breaking to using `ListenerClasses` for the exposure of Services.
+  This change is breaking, because - for security reasons - we default to the `cluster-internal` `ListenerClass`.
+  If you need your cluster to be accessible from outside of Kubernetes you need to set `clusterConfig.listenerClass`
+  to `external-unstable` or `external-stable` ([#432]).
 - `operator-rs` `0.27.1` -> `0.39.0` ([#411], [#420], [#430]).
 - Fragmented `OpaConfig` ([#411]).
 - Bumped stackable image versions to `23.4.0-rc2` ([#420]).
@@ -18,6 +23,7 @@ All notable changes to this project will be documented in this file.
 [#411]: https://github.com/stackabletech/opa-operator/pull/411
 [#420]: https://github.com/stackabletech/opa-operator/pull/420
 [#430]: https://github.com/stackabletech/opa-operator/pull/430
+[#432]: https://github.com/stackabletech/opa-operator/pull/432
 
 ## [23.1.0] - 2023-01-23
 

deploy/helm/opa-operator/crds/crds.yaml

@@ -25,9 +25,25 @@ spec:
             spec:
               properties:
                 clusterConfig:
-                  default: {}
+                  default:
+                    listenerClass: cluster-internal
                   description: Global OPA cluster configuration that applies to all roles and role groups.
                   properties:
+                    listenerClass:
+                      default: cluster-internal
+                      description: |-
+                        In the future this setting will control, which ListenerClass <https://docs.stackable.tech/home/stable/listener-operator/listenerclass.html> will be used to expose the service. Currently only a subset of the ListenerClasses are supported by choosing the type of the created Services by looking at the ListenerClass name specified, In a future release support for custom ListenerClasses will be introduced without a breaking change:
+
+                        * cluster-internal: Use a ClusterIP service
+
+                        * external-unstable: Use a NodePort service
+
+                        * external-stable: Use a LoadBalancer service
+                      enum:
+                        - cluster-internal
+                        - external-unstable
+                        - external-stable
+                      type: string
                     vectorAggregatorConfigMapName:
                       description: Name of the Vector aggregator discovery ConfigMap. It must contain the key `ADDRESS` with the address of the Vector aggregator.
                       nullable: true

rust/crd/src/lib.rs

@@ -68,6 +68,42 @@ pub struct OpaClusterConfig {
     /// It must contain the key `ADDRESS` with the address of the Vector aggregator.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub vector_aggregator_config_map_name: Option<String>,
+    /// In the future this setting will control, which ListenerClass <https://docs.stackable.tech/home/stable/listener-operator/listenerclass.html>
+    /// will be used to expose the service.
+    /// Currently only a subset of the ListenerClasses are supported by choosing the type of the created Services
+    /// by looking at the ListenerClass name specified,
+    /// In a future release support for custom ListenerClasses will be introduced without a breaking change:
+    ///
+    /// * cluster-internal: Use a ClusterIP service
+    ///
+    /// * external-unstable: Use a NodePort service
+    ///
+    /// * external-stable: Use a LoadBalancer service
+    #[serde(default)]
+    pub listener_class: CurrentlySupportedListenerClasses,
+}
+
+// TODO: Temporary solution until listener-operator is finished
+#[derive(Clone, Debug, Default, Display, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+#[serde(rename_all = "PascalCase")]
+pub enum CurrentlySupportedListenerClasses {
+    #[default]
+    #[serde(rename = "cluster-internal")]
+    ClusterInternal,
+    #[serde(rename = "external-unstable")]
+    ExternalUnstable,
+    #[serde(rename = "external-stable")]
+    ExternalStable,
+}
+
+impl CurrentlySupportedListenerClasses {
+    pub fn k8s_service_type(&self) -> String {
+        match self {
+            CurrentlySupportedListenerClasses::ClusterInternal => "ClusterIP".to_string(),
+            CurrentlySupportedListenerClasses::ExternalUnstable => "NodePort".to_string(),
+            CurrentlySupportedListenerClasses::ExternalStable => "LoadBalancer".to_string(),
+        }
+    }
 }
 
 #[allow(clippy::derive_partial_eq_without_eq)]

rust/operator-binary/src/controller.rs

@@ -399,14 +399,14 @@ pub fn build_server_role_service(
             ))
             .build(),
         spec: Some(ServiceSpec {
+            type_: Some(opa.spec.cluster_config.listener_class.k8s_service_type()),
             ports: Some(vec![ServicePort {
                 name: Some(APP_PORT_NAME.to_string()),
                 port: APP_PORT.into(),
                 protocol: Some("TCP".to_string()),
                 ..ServicePort::default()
             }]),
             selector: Some(role_selector_labels(opa, APP_NAME, &role_name)),
-            type_: Some("NodePort".to_string()),
             internal_traffic_policy: Some("Local".to_string()),
             ..ServiceSpec::default()
         }),
@@ -437,6 +437,8 @@ fn build_rolegroup_service(
             .with_label("prometheus.io/scrape", "true")
             .build(),
         spec: Some(ServiceSpec {
+            // Internal communication does not need to be exposed
+            type_: Some("ClusterIP".to_string()),
             cluster_ip: Some("None".to_string()),
             ports: Some(service_ports()),
             selector: Some(role_group_selector_labels(