Merge pull request #3624 from vikastigera/auto-pick-of-#3618-release-…

…v1.36 [Cherry-Pick] Adding AzurePolicyMode to Installation (#3618)
tigera · Nov 29, 2024 · 34940b7 · 34940b7
2 parents 1fe5dc6 + 8842158
commit 34940b7
Show file tree

Hide file tree

Showing 27 changed files with 219 additions and 25 deletions.
diff --git a/api/v1/installation_types.go b/api/v1/installation_types.go
@@ -197,8 +197,30 @@ type InstallationSpec struct {
 	// Kubernetes Service CIDRs. Specifying this is required when using Calico for Windows.
 	// +optional
 	ServiceCIDRs []string `json:"serviceCIDRs,omitempty"`
+
+	// Azure is used to configure azure provider specific options.
+	// +optional
+	Azure *Azure `json:"azure,omitempty"`
+}
+
+type Azure struct {
+	// PolicyMode determines whether the "control-plane" label is applied to namespaces. It offers two options: Default and Manual.
+	// The Default option adds the "control-plane" label to the required namespaces.
+	// The Manual option does not apply the "control-plane" label to any namespace.
+	// Default: Default
+	// +optional
+	// +kubebuilder:validation:Enum=Default;Manual
+	// +kubebuilder:default:=Default
+	PolicyMode *PolicyMode `json:"policyMode,omitempty"`
 }
 
+type PolicyMode string
+
+const (
+	Default PolicyMode = "Default"
+	Manual  PolicyMode = "Manual"
+)
+
 type Logging struct {
 	// Customized logging specification for calico-cni plugin
 	// +optional

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/compliance/compliance_controller.go b/pkg/controller/compliance/compliance_controller.go
@@ -444,7 +444,7 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R
 
 	reqLogger.V(3).Info("rendering components")
 
-	namespaceComp := render.NewPassthrough(render.CreateNamespace(helper.InstallNamespace(), network.KubernetesProvider, render.PSSPrivileged))
+	namespaceComp := render.NewPassthrough(render.CreateNamespace(helper.InstallNamespace(), network.KubernetesProvider, render.PSSPrivileged, network.Azure))
 
 	hasNoLicense := !utils.IsFeatureActive(license, common.ComplianceFeature)
 	openshift := r.provider.IsOpenShift()

diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go
@@ -721,6 +721,11 @@ func fillDefaults(instance *operator.Installation, currentPools *crdv1.IPPoolLis
 		instance.Spec.NodeUpdateStrategy.Type = appsv1.RollingUpdateDaemonSetStrategyType
 	}
 
+	if instance.Spec.KubernetesProvider == operator.ProviderAKS && instance.Spec.Azure == nil {
+		defaultPolicyMode := operator.Default
+		instance.Spec.Azure = &operator.Azure{PolicyMode: &defaultPolicyMode}
+	}
+
 	return nil
 }
 

diff --git a/pkg/controller/installation/core_controller_test.go b/pkg/controller/installation/core_controller_test.go
@@ -1557,6 +1557,41 @@ var _ = Describe("Testing core-controller installation", func() {
 			Expect(c.List(ctx, &policies)).ToNot(HaveOccurred())
 			Expect(policies.Items).To(HaveLen(0))
 		})
+
+		It("should set default spec.Azure if provider is AKS", func() {
+			cr.Spec.KubernetesProvider = operator.ProviderAKS
+
+			Expect(c.Create(ctx, cr)).NotTo(HaveOccurred())
+			_, err := r.Reconcile(ctx, reconcile.Request{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			policyMode := operator.Default
+			azure := &operator.Azure{
+				PolicyMode: &policyMode,
+			}
+			instance := &operator.Installation{}
+
+			err = c.Get(ctx, types.NamespacedName{Name: "default"}, instance)
+			Expect(err).ShouldNot(HaveOccurred())
+
+			Expect(instance.Spec.Azure).NotTo(BeNil())
+			Expect(instance.Spec.Azure).To(Equal(azure))
+		})
+
+		It("should not set default spec.Azure if provider is not AKS", func() {
+			cr.Spec.KubernetesProvider = operator.ProviderEKS
+
+			Expect(c.Create(ctx, cr)).NotTo(HaveOccurred())
+			_, err := r.Reconcile(ctx, reconcile.Request{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			instance := &operator.Installation{}
+
+			err = c.Get(ctx, types.NamespacedName{Name: "default"}, instance)
+			Expect(err).ShouldNot(HaveOccurred())
+
+			Expect(instance.Spec.Azure).To(BeNil())
+		})
 	})
 
 	Context("Using EKS networking", func() {

diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go
@@ -411,6 +411,10 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 		}
 	}
 
+	if instance.Spec.KubernetesProvider != operatorv1.ProviderAKS && instance.Spec.Azure != nil {
+		return fmt.Errorf("Installation spec.Azure should be set only for AKS provider")
+	}
+
 	return nil
 }
 

diff --git a/pkg/controller/installation/validation_test.go b/pkg/controller/installation/validation_test.go
@@ -407,6 +407,20 @@ var _ = Describe("Installation validation tests", func() {
 		Expect(err).To(HaveOccurred())
 	})
 
+	It("should allow Spec.Azure to be set for AKS provider", func() {
+		instance.Spec.KubernetesProvider = operator.ProviderAKS
+		instance.Spec.Azure = &operator.Azure{}
+		err := validateCustomResource(instance)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("should not allow Spec.Azure to be set for non AKS provider", func() {
+		instance.Spec.KubernetesProvider = operator.ProviderGKE
+		instance.Spec.Azure = &operator.Azure{}
+		err := validateCustomResource(instance)
+		Expect(err).To(HaveOccurred())
+	})
+
 	Describe("validate Calico CNI plugin Type", func() {
 		DescribeTable("test invalid IPAM",
 			func(ipam operator.IPAMPluginType) {

diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller.go b/pkg/controller/intrusiondetection/intrusiondetection_controller.go
@@ -479,6 +479,7 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec
 		Tenant:                    tenant,
 		HasNoLicense:              hasNoLicense,
 		SyslogForwardingIsEnabled: syslogForwardingIsEnabled(lc),
+		Azure:                     network.Azure,
 	})
 	intrusionDetectionComponent := render.IntrusionDetection(intrusionDetectionCfg)
 

diff --git a/pkg/controller/logstorage/initializer/initializing_controller.go b/pkg/controller/logstorage/initializer/initializing_controller.go
@@ -243,14 +243,14 @@ func (r *LogStorageInitializer) Reconcile(ctx context.Context, request reconcile
 
 	// Before we can create secrets, we need to ensure the tigera-elasticsearch namespace exists.
 	hdler := utils.NewComponentHandler(reqLogger, r.client, r.scheme, ls)
-	esNamespace := render.CreateNamespace(render.ElasticsearchNamespace, install.KubernetesProvider, render.PSSPrivileged)
+	esNamespace := render.CreateNamespace(render.ElasticsearchNamespace, install.KubernetesProvider, render.PSSPrivileged, install.Azure)
 	if err = hdler.CreateOrUpdateOrDelete(ctx, render.NewPassthrough(esNamespace), r.status); err != nil {
 		r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, reqLogger)
 		return reconcile.Result{}, err
 	}
 	if kibanaEnabled {
 		// Create the Namespace.
-		kbNamespace := render.CreateNamespace(kibana.Namespace, install.KubernetesProvider, render.PSSBaseline)
+		kbNamespace := render.CreateNamespace(kibana.Namespace, install.KubernetesProvider, render.PSSBaseline, install.Azure)
 		if err = hdler.CreateOrUpdateOrDelete(ctx, render.NewPassthrough(kbNamespace), r.status); err != nil {
 			r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, reqLogger)
 			return reconcile.Result{}, err

diff --git a/pkg/controller/utils/merge.go b/pkg/controller/utils/merge.go
@@ -209,6 +209,11 @@ func OverrideInstallationSpec(cfg, override operatorv1.InstallationSpec) operato
 		inst.ServiceCIDRs = override.ServiceCIDRs
 	}
 
+	switch compareFields(inst.Azure, override.Azure) {
+	case BOnlySet, Different:
+		inst.Azure = override.Azure
+	}
+
 	return inst
 }
 

diff --git a/pkg/crds/operator/operator.tigera.io_installations.yaml b/pkg/crds/operator/operator.tigera.io_installations.yaml
@@ -42,6 +42,21 @@ spec:
             description: Specification of the desired state for the Calico or Calico
               Enterprise installation.
             properties:
+              azure:
+                description: Azure is used to configure azure provider specific options.
+                properties:
+                  policyMode:
+                    default: Default
+                    description: |-
+                      PolicyMode determines whether the "control-plane" label is applied to namespaces. It offers two options: Default and Manual.
+                      The Default option adds the "control-plane" label to the required namespaces.
+                      The Manual option does not apply the "control-plane" label to any namespace.
+                      Default: Default
+                    enum:
+                    - Default
+                    - Manual
+                    type: string
+                type: object
               calicoKubeControllersDeployment:
                 description: |-
                   CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in
@@ -7411,6 +7426,22 @@ spec:
                 description: Computed is the final installation including overlaid
                   resources.
                 properties:
+                  azure:
+                    description: Azure is used to configure azure provider specific
+                      options.
+                    properties:
+                      policyMode:
+                        default: Default
+                        description: |-
+                          PolicyMode determines whether the "control-plane" label is applied to namespaces. It offers two options: Default and Manual.
+                          The Default option adds the "control-plane" label to the required namespaces.
+                          The Manual option does not apply the "control-plane" label to any namespace.
+                          Default: Default
+                        enum:
+                        - Default
+                        - Manual
+                        type: string
+                    type: object
                   calicoKubeControllersDeployment:
                     description: |-
                       CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in

diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -245,7 +245,7 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 
 	// Global enterprise-only objects.
 	globalEnterpriseObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise), c.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise), c.cfg.Installation.KubernetesProvider, PSSPrivileged, c.cfg.Installation.Azure),
 		c.tigeraApiServerClusterRole(),
 		c.tigeraApiServerClusterRoleBinding(),
 		c.uisettingsgroupGetterClusterRole(),
@@ -303,7 +303,7 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 	}
 	// Global OSS-only objects.
 	globalCalicoObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel, c.cfg.Installation.Azure),
 	}
 
 	// Compile the final arrays based on the variant.

diff --git a/pkg/render/dex.go b/pkg/render/dex.go
@@ -114,7 +114,7 @@ func (*dexComponent) SupportedOSType() rmeta.OSType {
 func (c *dexComponent) Objects() ([]client.Object, []client.Object) {
 
 	objs := []client.Object{
-		CreateNamespace(DexObjectName, c.cfg.Installation.KubernetesProvider, PSSRestricted),
+		CreateNamespace(DexObjectName, c.cfg.Installation.KubernetesProvider, PSSRestricted, c.cfg.Installation.Azure),
 		c.allowTigeraNetworkPolicy(c.cfg.Installation.Variant),
 		networkpolicy.AllowTigeraDefaultDeny(DexNamespace),
 		c.serviceAccount(),

diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go
@@ -269,7 +269,7 @@ func (c *fluentdComponent) path(path string) string {
 
 func (c *fluentdComponent) Objects() ([]client.Object, []client.Object) {
 	var objs, toDelete []client.Object
-	objs = append(objs, CreateNamespace(LogCollectorNamespace, c.cfg.Installation.KubernetesProvider, PSSPrivileged))
+	objs = append(objs, CreateNamespace(LogCollectorNamespace, c.cfg.Installation.KubernetesProvider, PSSPrivileged, c.cfg.Installation.Azure))
 	objs = append(objs, c.allowTigeraPolicy())
 	objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(LogCollectorNamespace, c.cfg.PullSecrets...)...)...)
 	objs = append(objs, c.metricsService())

diff --git a/pkg/render/guardian.go b/pkg/render/guardian.go
@@ -120,7 +120,7 @@ func (c *GuardianComponent) SupportedOSType() rmeta.OSType {
 
 func (c *GuardianComponent) Objects() ([]client.Object, []client.Object) {
 	objs := []client.Object{
-		CreateNamespace(GuardianNamespace, c.cfg.Installation.KubernetesProvider, PSSRestricted),
+		CreateNamespace(GuardianNamespace, c.cfg.Installation.KubernetesProvider, PSSRestricted, c.cfg.Installation.Azure),
 	}
 
 	objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(GuardianNamespace, c.cfg.PullSecrets...)...)...)
@@ -135,7 +135,7 @@ func (c *GuardianComponent) Objects() ([]client.Object, []client.Object) {
 
 		// Add tigera-manager service account for impersonation. In managed clusters, the tigera-manager
 		// service account is always within the tigera-manager namespace - regardless of (multi)tenancy mode.
-		CreateNamespace(ManagerNamespace, c.cfg.Installation.KubernetesProvider, PSSRestricted),
+		CreateNamespace(ManagerNamespace, c.cfg.Installation.KubernetesProvider, PSSRestricted, c.cfg.Installation.Azure),
 		managerServiceAccount(ManagerNamespace),
 		managerClusterRole(true, c.cfg.Installation.KubernetesProvider, nil),
 		managerClusterRoleBinding([]string{ManagerNamespace}),

diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go
@@ -1303,6 +1303,7 @@ type IntrusionDetectionNamespaceConfiguration struct {
 	Namespace                 string
 	KubernetesProvider        operatorv1.Provider
 	HasNoLicense              bool
+	Azure                     *operatorv1.Azure
 }
 
 func (c *intrusionDetectionNamespaceComponent) ResolveImages(is *operatorv1.ImageSet) error {
@@ -1324,7 +1325,7 @@ func (c *intrusionDetectionNamespaceComponent) Objects() ([]client.Object, []cli
 	objs := []client.Object{}
 	if !c.cfg.Tenant.MultiTenant() {
 		// In multi-tenant environments, the namespace is pre-created. So, only create it if we're not in a multi-tenant environment.
-		objs = append(objs, CreateNamespace(c.cfg.Namespace, c.cfg.KubernetesProvider, PodSecurityStandard(pss)))
+		objs = append(objs, CreateNamespace(c.cfg.Namespace, c.cfg.KubernetesProvider, PodSecurityStandard(pss), c.cfg.Azure))
 	}
 
 	if c.cfg.HasNoLicense {

diff --git a/pkg/render/intrusiondetection/dpi/dpi.go b/pkg/render/intrusiondetection/dpi/dpi.go
@@ -105,9 +105,9 @@ func (d *dpiComponent) Objects() (objsToCreate, objsToDelete []client.Object) {
 	}
 
 	if d.cfg.HasNoLicense {
-		toDelete = append(toDelete, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged))
+		toDelete = append(toDelete, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged, d.cfg.Installation.Azure))
 	} else {
-		toCreate = append(toCreate, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged))
+		toCreate = append(toCreate, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged, d.cfg.Installation.Azure))
 	}
 
 	// This secret is deprecated in this namespace and should be removed in upgrade scenarios

diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go
@@ -234,7 +234,7 @@ func (es *elasticsearchComponent) Objects() ([]client.Object, []client.Object) {
 	}
 
 	// Elasticsearch CRs
-	toCreate = append(toCreate, CreateNamespace(ElasticsearchNamespace, es.cfg.Installation.KubernetesProvider, PSSPrivileged))
+	toCreate = append(toCreate, CreateNamespace(ElasticsearchNamespace, es.cfg.Installation.KubernetesProvider, PSSPrivileged, es.cfg.Installation.Azure))
 	toCreate = append(toCreate, es.elasticsearchAllowTigeraPolicy())
 	toCreate = append(toCreate, es.elasticsearchInternalAllowTigeraPolicy())
 	toCreate = append(toCreate, networkpolicy.AllowTigeraDefaultDeny(ElasticsearchNamespace))
@@ -1184,7 +1184,7 @@ func (m *managedClusterLogStorage) Objects() (objsToCreate []client.Object, objs
 	toCreate := []client.Object{}
 	roles, bindings, clusterRB := m.linseedExternalRolesAndBindings()
 	toCreate = append(toCreate,
-		CreateNamespace(ElasticsearchNamespace, m.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(ElasticsearchNamespace, m.cfg.Installation.KubernetesProvider, PSSPrivileged, m.cfg.Installation.Azure),
 		m.elasticsearchExternalService(),
 		m.linseedExternalService(),
 	)

diff --git a/pkg/render/logstorage/eck/eck.go b/pkg/render/logstorage/eck/eck.go
@@ -95,7 +95,7 @@ func (e *eck) Objects() ([]client.Object, []client.Object) {
 	var toCreate, toDelete []client.Object
 
 	toCreate = append(toCreate,
-		render.CreateNamespace(OperatorNamespace, e.cfg.Installation.KubernetesProvider, render.PSSRestricted),
+		render.CreateNamespace(OperatorNamespace, e.cfg.Installation.KubernetesProvider, render.PSSRestricted, e.cfg.Installation.Azure),
 		e.operatorAllowTigeraPolicy(),
 	)
 

diff --git a/pkg/render/logstorage/externalelasticsearch/externalelasticsearch.go b/pkg/render/logstorage/externalelasticsearch/externalelasticsearch.go
@@ -48,7 +48,7 @@ func (e externalElasticsearch) ResolveImages(is *operatorv1.ImageSet) error {
 }
 
 func (e externalElasticsearch) Objects() (toCreate, toDelete []client.Object) {
-	toCreate = append(toCreate, render.CreateNamespace(render.ElasticsearchNamespace, e.installation.KubernetesProvider, render.PSSBaseline))
+	toCreate = append(toCreate, render.CreateNamespace(render.ElasticsearchNamespace, e.installation.KubernetesProvider, render.PSSBaseline, e.installation.Azure))
 	toCreate = append(toCreate, e.clusterConfig.ConfigMap())
 	toCreate = append(toCreate, e.oidcUserRole())
 	toCreate = append(toCreate, e.oidcUserRoleBinding())

diff --git a/pkg/render/logstorage/kibana/kibana.go b/pkg/render/logstorage/kibana/kibana.go
@@ -156,7 +156,7 @@ func (k *kibana) Objects() ([]client.Object, []client.Object) {
 		// - securityContext.capabilities.drop=["ALL"]
 		// - securityContext.runAsNonRoot=true
 		// - securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"
-		toCreate = append(toCreate, render.CreateNamespace(Namespace, k.cfg.Installation.KubernetesProvider, render.PSSBaseline))
+		toCreate = append(toCreate, render.CreateNamespace(Namespace, k.cfg.Installation.KubernetesProvider, render.PSSBaseline, k.cfg.Installation.Azure))
 		toCreate = append(toCreate, k.allowTigeraPolicy())
 		toCreate = append(toCreate, networkpolicy.AllowTigeraDefaultDeny(Namespace))
 		toCreate = append(toCreate, k.serviceAccount())

diff --git a/pkg/render/manager.go b/pkg/render/manager.go
@@ -214,7 +214,7 @@ func (c *managerComponent) Objects() ([]client.Object, []client.Object) {
 
 	if !c.cfg.Tenant.MultiTenant() {
 		// In multi-tenant environments, the namespace is pre-created. So, only create it if we're not in a multi-tenant environment.
-		objs = append(objs, CreateNamespace(c.cfg.Namespace, c.cfg.Installation.KubernetesProvider, PSSRestricted))
+		objs = append(objs, CreateNamespace(c.cfg.Namespace, c.cfg.Installation.KubernetesProvider, PSSRestricted, c.cfg.Installation.Azure))
 
 		// For multi-tenant environments, the management cluster itself isn't shown in the UI so we only need to create these
 		// when there is no tenant.

diff --git a/pkg/render/monitor/monitor.go b/pkg/render/monitor/monitor.go
@@ -181,7 +181,7 @@ func (mc *monitorComponent) Objects() ([]client.Object, []client.Object) {
 		// - securityContext.capabilities.drop=["ALL"]
 		// - securityContext.runAsNonRoot=true
 		// - securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"
-		render.CreateNamespace(common.TigeraPrometheusNamespace, mc.cfg.Installation.KubernetesProvider, render.PSSBaseline),
+		render.CreateNamespace(common.TigeraPrometheusNamespace, mc.cfg.Installation.KubernetesProvider, render.PSSBaseline, mc.cfg.Installation.Azure),
 	}
 
 	// Create role and role bindings first.
-Original file line number
+Diff line change
@@ Expand Up @@
     		}
     	}
+    	if instance.Spec.KubernetesProvider != operatorv1.ProviderAKS && instance.Spec.Azure != nil {
+    		return fmt.Errorf("Installation spec.Azure should be set only for AKS provider")
+    	}
     	return nil
     }
@@ Expand Down @@