[charts/csm-authorization] feature-261: Authorization helm chart

[atye]

Is this a new chart?

Yes

What this PR does / why we need it:

Creates a helm chart for CSM-Authorization.

Which issue(s) is this PR associated with:

• github.com/[FEATURE]: CSM Authorization can deployed with Helm csm#261

Special notes for your reviewer:

How to install the chart and some explanations:

1. Create the karavi-config-secret containing the secret string to sign JWTs. Use the file samples/csm-authorization/config.yaml.

kubectl create secret generic karavi-config-secret -n <namespace> --from-file=config.yaml=samples/csm-authorization/config.yaml

2. cd charts/csm-authorization and run helm dependency update. This will bundle cert-manager and ingress-nginx with the in-house redis chart.

3. Modify the values.yaml in charts/csm-authorization/values.yaml to appropriate values. Some code changes are required for the services to run via helm so you have to use the images built from feature-261: Role Service karavi-authorization#167. See values file below.

Most of the values fields are self-explanatory.

hostname is the host rule for the Ingresses that will be registered with the nginx load balancer accessed via the master node.

redis.storageClass is the storage class redis will use. This can be anything.

authorization:
  # images to use in installation
  images:
    proxyService: dellemc/csm-authorization-proxy:nightly
    tenantService: dellemc/csm-authorization-tenant:nightly
    roleService: dellemc/csm-authorization-role:nightly
    opa: openpolicyagent/opa
    opaKubeMgmt: openpolicyagent/kube-mgmt:0.11

  # hostname for the ingress rules that expose the services
  hostname: csm-authorization.com

  logLevel: debug

  zipkin: {}
    # collectoruri: http://DNS-hostname:9411/api/v2/spans
    # probability: 1

redis:
  images:
    redis: redis:6.0.8-alpine
    commander: rediscommander/redis-commander:latest

  storageClass: local-storage

If you want local storage, here is an example:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: local-pv
spec:
  capacity:
    storage: 8Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Delete
  storageClassName: local-storage
  hostPath:
    path: /tmp

4. Install the chart. If you are in charts/csm-authorization:

helm -n <namespace> install <name> .

5. Install the driver with authorization. If the driver is on the same cluster as authorization, you can use the k8s DNS network address of the ingress-nginx-controller for the proxyHost.

For example, if I installed authorization in the auth namespace with the name auth, I would use auth-ingress-nginx-controller.auth.svc.cluster.local:443 as the proxyHost for the driver.

The tenant and role services are exposed via tenant.hostname and role.hostname, respectively. To access the services, you must have the cluster master node in /etc/hosts that aligns with the hostname. Example for using csmauth.com:

10.0.0.1 csmauth.com
10.0.0.1 tenant.csmauth.com
10.0.0.1 role.csmauth.com

Run kubectl -n <namespace> get service to see the exposed 443 port of the LoadBalancer and use that to connect.

All tenant commands should work.

karavictl tenant list --insecure --addr tenant.csmauth.com:32371

Role create should work.

karavictl role create --role=foo=powerflex=11e4e7d35817bd0f=mypool=75GB --addr role.csmauth.com:32371 --insecure

Checklist:

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• Chart Version bumped
• Variables are documented in the chart README.md
• Title of the PR starts with the chart name (e.g. [charts_dir/mychartname]) if applicable

[hoppea2]

LGTM

[tdawe]

Should this PR target a release branch instead of main? Once merged to main, this helm chart will be publicly available from our helm repository.

[atye]

@tdawe

Created the csm-authorization-release from main and targeting that now.

[shaynafinocchiaro]

Should this say 'A Helm chart for Redis'?

[atye]

Yes, updated.