Support for Authorino enable/disable superseding strict host subsets

README.md

@@ -123,6 +123,7 @@ the state of the Kubernetes Deployment and associated resources, based on the st
 | clusterWide              |           Boolean           | Sets the Authorino instance's [watching scope](https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md#cluster-wide-vs-namespaced-instances) – cluster-wide or namespaced.                                                 | Default: `true` (cluster-wide)                        |
 | authConfigLabelSelectors |           String            | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `AuthConfig`-related reconciliation events.                                       | Default: empty (all AuthConfigs are watched)          |
 | secretLabelSelectors     |           String            | [Label selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) used by the Authorino instance to filter `Secret`-related reconciliation events (API key and mTLS authentication methods). | Default: `authorino.kuadrant.io/managed-by=authorino` |
+| supersedingHostSubsets   |           Boolean           | Enable/disable allowing AuthConfigs to supersede strict subsets of hosts already taken.                                                                                                                                                 | Default: `false`                                      |
 | replicas                 |           Integer           | Number of replicas desired for the Authorino instance. Values greater than 1 enable leader election in the Authorino service, where the leader updates the statuses of the `AuthConfig` CRs).                                           | Default: 1                                            |
 | evaluatorCacheSize       |           Integer           | Cache size (in megabytes) of each Authorino evaluator (when enabled in an [`AuthConfig`](https://github.com/Kuadrant/authorino/blob/main/docs/features.md#common-feature-caching-cache)).                                               | Default: 1                                            |
 | image                    |           String            | Authorino image to be deployed (for dev/testing purpose only).                                                                                                                                                                          | Default: `quay.io/kuadrant/authorino:latest`          |

api/v1beta1/authorino_types.go

@@ -71,6 +71,7 @@ type AuthorinoSpec struct {
 	OIDCServer               OIDCServer  `json:"oidcServer"`
 	AuthConfigLabelSelectors string      `json:"authConfigLabelSelectors,omitempty"`
 	SecretLabelSelectors     string      `json:"secretLabelSelectors,omitempty"`
+	SupersedingHostSubsets   bool        `json:"supersedingHostSubsets,omitempty"`
 	EvaluatorCacheSize       *int        `json:"evaluatorCacheSize,omitempty"`
 	Tracing                  Tracing     `json:"tracing,omitempty"`
 	Metrics                  Metrics     `json:"metrics,omitempty"`

bundle/manifests/operator.authorino.kuadrant.io_authorinos.yaml

@@ -136,6 +136,8 @@ spec:
                 type: integer
               secretLabelSelectors:
                 type: string
+              supersedingHostSubsets:
+                type: boolean
               tracing:
                 properties:
                   endpoint:

config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml

@@ -138,6 +138,8 @@ spec:
                 type: integer
               secretLabelSelectors:
                 type: string
+              supersedingHostSubsets:
+                type: boolean
               tracing:
                 properties:
                   endpoint:

config/deploy/manifests.yaml

@@ -5537,6 +5537,8 @@ spec:
                 type: integer
               secretLabelSelectors:
                 type: string
+              supersedingHostSubsets:
+                type: boolean
               tracing:
                 properties:
                   endpoint:

config/install/manifests.yaml

@@ -136,6 +136,8 @@ spec:
                 type: integer
               secretLabelSelectors:
                 type: string
+              supersedingHostSubsets:
+                type: boolean
               tracing:
                 properties:
                   endpoint:

controllers/authorino_controller.go

@@ -324,6 +324,11 @@ func (r *AuthorinoReconciler) buildAuthorinoArgs(authorino *api.Authorino) []str
 		args = append(args, fmt.Sprintf("--%s=%s", flagWatchedSecretLabelSelector, selectors))
 	}
 
+	// allow-superseding-host-subsets
+	if authorino.Spec.SupersedingHostSubsets {
+		args = append(args, fmt.Sprintf("--%s", flagSupersedingHostSubsets))
+	}
+
 	// log-level
 	if logLevel := authorino.Spec.LogLevel; logLevel != "" {
 		args = append(args, fmt.Sprintf("--%s=%s", flagLogLevel, logLevel))

controllers/authorino_controller_test.go

@@ -326,6 +326,8 @@ func checkAuthorinoArgs(authorinoInstance *api.Authorino, args []string) {
 			Expect(value).Should(Equal(authorinoInstance.Spec.AuthConfigLabelSelectors))
 		case flagWatchedSecretLabelSelector:
 			Expect(value).Should(Equal(authorinoInstance.Spec.SecretLabelSelectors))
+		case flagSupersedingHostSubsets:
+			Expect(authorinoInstance.Spec.SupersedingHostSubsets).Should(BeTrue())
 		case flagLogLevel:
 			Expect(value).Should(Equal(authorinoInstance.Spec.LogLevel))
 		case flagLogMode:

controllers/constants.go

@@ -33,6 +33,7 @@ const (
 	flagWatchNamespace                 string = "watch-namespace"
 	flagWatchedAuthConfigLabelSelector string = "auth-config-label-selector"
 	flagWatchedSecretLabelSelector     string = "secret-label-selector"
+	flagSupersedingHostSubsets         string = "allow-superseding-host-subsets"
 	flagLogLevel                       string = "log-level"
 	flagLogMode                        string = "log-mode"
 	flagTimeout                        string = "timeout"