feat(cloud-native): add support for gRPC bridge (#2679)

* feat(cloud-native): add support for gRPC bridge

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: update FLEX_SOURCE_VERSION

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: strip /jans-auth when calling authzen-configuration

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: add missing routes for protected endpoints

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: create subchart for gateway-api

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: explicit appProtocol for grpc service

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: fix grpc comments

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: move gatewayApi configuration to gateway-api

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: resolve gateway-api chart name

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: mention about required auth-server.lockEnabled flag

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: adjust labels and NOTES

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor(openbanking): change gatewayApi to gateway-api

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: use scoped airlock-gw-params name

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: resolve jans-lock endpoints

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: reorganize GA implementation

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: sync openbanking-values.yaml

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: add Gateway API default labels

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: set defaultMode for CA cert volume

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: reorganize GA implementation

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: revert FLEX_SOURCE_VERSION

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* docs: update comment for Loadbalancer IP in YAML

Signed-off-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: Isman Firmansyah <iromli@users.noreply.github.com>
Signed-off-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>

Author: iromli

charts/gluu-all-in-one/README.md

@@ -12,4 +12,38 @@ RECOMMENDATION:
 2. This can be left public in demo or internal development environments only.
 
 ********************************************************************************
-{{- end }}
+{{- end }}
+
+{{- with .Values.gatewayApi }}
+{{ if .enabled }}
+********************************************************************************
+***              WARNING: GATEWAY API CONFIGURATION                          ***
+********************************************************************************
+
+The legacy flag `gatewayApi.enabled` is set to TRUE. Any configuration
+previously managed by `gatewayApi` will be ignored. See the following sections
+for migration.
+
+RECOMMENDATION:
+
+1. Use `gateway-api.enabled` flag.
+2. Use `gateway-api` instead of `gatewayApi` to configure the Gateway API.
+
+ATTRIBUTE CHANGES:
+
+| Legacy                            | New                                   |
+| --------------------------------- | ------------------------------------- |
+| `gatewayApi.enabled`              | `gateway-api.enabled`                 |
+| `gatewayApi.gatewayClassName`     | `gateway-api.gateway.className`       |
+| `gatewayApi.name`                 | `gateway-api.gateway.name`            |
+| `gatewayApi.httpPort`             | `gateway-api.gateway.httpPort`        |
+| `gatewayApi.httpsPort`            | `gateway-api.gateway.httpsPort`       |
+| `gatewayApi.tlsSecretName`        | `gateway-api.gateway.tlsSecretName`   |
+| `gatewayApi.gatewayLabels`        | `gateway-api.gateway.labels`          |
+| `gatewayApi.gatewayAnnotations`   | `gateway-api.gateway.annotations`     |
+| `gatewayApi.routeLabels`          | `gateway-api.routes.labels`           |
+| `gatewayApi.routeAnnotations`     | `gateway-api.routes.annotations`      |
+
+********************************************************************************
+{{- end }}
+{{- end }}

charts/gluu-all-in-one/templates/NOTES.txt

@@ -94,6 +94,8 @@ data:
   | replace "scriptLogLevel" "script_log_level"
   | replace "auditStatsLogTarget" "audit_log_target"
   | replace "auditStatsLogLevel" "audit_log_level"
+  | replace "lockLogTarget" "lock_log_target"
+  | replace "lockLogLevel" "lock_log_level"
   | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix"
   | squote
   }}

charts/gluu-all-in-one/templates/configmap.yaml

@@ -77,8 +77,8 @@ spec:
             value: {{ include "saml.customJavaOptions" . | trim }}
           - name: CN_SCIM_JAVA_OPTIONS
             value: {{ include "scim.customJavaOptions" . | trim }}
-          {{- include "flex-all-in-one.usr-envs" . | indent 12 }}
-          {{- include "flex-all-in-one.usr-secret-envs" . | indent 12 }}
+          {{- include "flex-all-in-one.usr-envs" . | indent 10 }}
+          {{- include "flex-all-in-one.usr-secret-envs" . | indent 10 }}
         securityContext:
           runAsUser: 1000
           runAsNonRoot: true

charts/gluu-all-in-one/templates/deployment.yml

@@ -0,0 +1,63 @@
+{{- if index .Values "gateway-api" "enabled" -}}
+
+{{- $fullName := include "flex-all-in-one.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ index .Values "gateway-api" "gateway" "name" }}
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $fullName }}-gateway
+    {{- if index .Values "gateway-api" "gateway" "labels" }}
+    {{- toYaml (index .Values "gateway-api" "gateway" "labels") | nindent 4 }}
+    {{- end }}
+  {{- if index .Values "gateway-api" "gateway" "annotations" }}
+  annotations:
+    {{- toYaml (index .Values "gateway-api" "gateway" "annotations") | nindent 4 }}
+  {{- end }}
+spec:
+  gatewayClassName: {{ index .Values "gateway-api" "gateway" "className" }}
+  infrastructure:
+    labels:
+      app: {{ $fullName }}-gateway-infrastructure
+      {{- if index .Values "gateway-api" "gateway" "infrastructure" "labels" }}
+      {{- toYaml (index .Values "gateway-api" "gateway" "infrastructure" "labels") | nindent 6 }}
+      {{- end }}
+    {{- if index .Values "gateway-api" "gateway" "infrastructure" "annotations" }}
+    annotations:
+      {{- toYaml (index .Values "gateway-api" "gateway" "infrastructure" "annotations") | nindent 6 }}
+    {{- end }}
+    {{- if index .Values "gateway-api" "gateway" "infrastructure" "parametersRef" }}
+    parametersRef:
+      {{- toYaml (index .Values "gateway-api" "gateway" "infrastructure" "parametersRef") | nindent 6 }}
+    {{- else if and (eq (index .Values "gateway-api" "gateway" "className") "airlock-microgateway") (index .Values "gateway-api" "additionalConfig" "airlock" "createLbService") }}
+    parametersRef:
+      group: microgateway.airlock.com
+      kind: GatewayParameters
+      name: {{ .Release.Name }}-airlock-gw-params
+    {{- else if and (eq (index .Values "gateway-api" "gateway" "className") "nginx") (index .Values "gateway-api" "gateway" "caCert") }}
+    parametersRef:
+      group: gateway.nginx.org
+      kind: NginxProxy
+      name: {{ .Release.Name }}-nginx-proxy-config
+    {{- end }}
+  {{- if and (index .Values "gateway-api" "gateway" "attachLbIp") (.Values.lbIp) }}
+  addresses:
+  - type: IPAddress
+    value: {{ .Values.lbIp }}
+  {{- end }}
+  listeners:
+  - name: http
+    port: {{ index .Values "gateway-api" "gateway" "httpPort" }}
+    protocol: HTTP
+  - name: https
+    port: {{ index .Values "gateway-api" "gateway" "httpsPort" }}
+    protocol: HTTPS
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - name: {{ index .Values "gateway-api" "gateway" "tlsSecretName" }}
+
+{{- end }}

charts/gluu-all-in-one/templates/gw-api-gateway.yaml

@@ -0,0 +1,13 @@
+{{- if and (index .Values "gateway-api" "enabled") (eq (index .Values "gateway-api" "gateway" "className") "airlock-microgateway") -}}
+{{- if index .Values "gateway-api" "additionalConfig" "airlock" "createLbService" }}
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: GatewayParameters
+metadata:
+  name: {{ .Release.Name }}-airlock-gw-params
+  namespace: {{ .Release.Namespace }}
+spec:
+  kubernetes:
+    service:
+      type: LoadBalancer
+{{- end }}
+{{- end }}

charts/gluu-all-in-one/templates/gw-api-impl-airlock.yaml

@@ -0,0 +1,12 @@
+{{- if and (index .Values "gateway-api" "enabled") (eq (index .Values "gateway-api" "gateway" "className") "cilium") -}}
+{{- $fullName := include "flex-all-in-one.fullname" . -}}
+{{- if index .Values "gateway-api" "additionalConfig" "cilium" "ipPoolBlocks" }}
+apiVersion: "cilium.io/v2"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: {{ $fullName }}-cilium-ip-pool
+spec:
+  blocks:
+    {{- toYaml (index .Values "gateway-api" "additionalConfig" "cilium" "ipPoolBlocks") | nindent 4 }}
+{{- end }}
+{{- end }}

charts/gluu-all-in-one/templates/gw-api-impl-cilium.yaml

@@ -0,0 +1,10 @@
+{{- if and (index .Values "gateway-api" "enabled") (eq (index .Values "gateway-api" "gateway" "className") "envoy") -}}
+{{- if index .Values "gateway-api" "additionalConfig" "envoy" "createGatewayClass" }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+{{- end }}
+{{- end }}

charts/gluu-all-in-one/templates/gw-api-impl-envoy.yaml

@@ -0,0 +1,70 @@
+{{- if and (index .Values "gateway-api" "enabled") (eq (index .Values "gateway-api" "gateway" "className") "nginx") -}}
+
+{{- if index .Values "gateway-api" "gateway" "caCert" }}
+apiVersion: gateway.nginx.org/v1alpha2
+kind: NginxProxy
+metadata:
+  name: {{ .Release.Name }}-nginx-proxy-config
+  namespace: {{ .Release.Namespace }}
+spec:
+  kubernetes:
+    deployment:
+      container:
+        volumeMounts:
+          - mountPath: /etc/nginx/extra-secrets/ca.crt
+            name: gateway-ca-cert
+            subPath: ca.crt
+          - mountPath: /etc/nginx/extra-secrets
+            name: extra-secrets
+      pod:
+        volumes:
+          - name: extra-secrets
+            emptyDir: {}
+          - name: gateway-ca-cert
+            secret:
+              defaultMode: 0664
+              secretName: {{ .Release.Name }}-gateway-ca-cert
+{{- end }}
+
+{{- /* Start of Snippets definition */}}
+{{- if and (index .Values "gateway-api" "gateway" "verifyClientCertProtection") (index .Values "gateway-api" "additionalConfig" "nginx" "enableClientCertSnippets") }}
+---
+
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsFilter
+metadata:
+  name: {{ .Release.Name }}-nginx-verify-client
+  namespace: {{ .Release.Namespace }}
+spec:
+  snippets:
+    - context: http.server.location
+      value: |
+        if ($ssl_client_verify != SUCCESS) {
+          return 403;
+        }
+        proxy_set_header X-ClientCert $ssl_client_escaped_cert;
+
+{{- if index .Values "gateway-api" "gateway" "caCert" }}
+---
+
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsPolicy
+metadata:
+  name: {{ .Release.Name }}-nginx-verify-client
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: {{ index .Values "gateway-api" "gateway" "name" }}
+  snippets:
+    - context: http.server
+      value: |
+        ssl_client_certificate /etc/nginx/extra-secrets/ca.crt;
+        ssl_verify_client optional;
+{{- end }}
+
+{{- end }}
+{{- /* End of Snippets definition */}}
+
+{{- end }}