Target ref #691

dlaw4608 · 2024-06-06T11:31:16Z

Using PolicyTargetReference instead of Selector for authpolicy_controller

closes issue : #302

Verification Steps

Set up an instance of kuadrant and the toystore.

make local-setup
kubectl apply -f examples/toystore/kuadrant.yaml
kubectl apply -f examples/toystore/toystore.yaml

Create and Apply AuthPolicies

echo "
apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: gw-1
  namespace: istio-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gw-1
  rules:
    authentication:
      api-key-users:
        apiKey:
          selector:
            matchLabels:
              app: toystore
          allNamespaces: true
        credentials:
          authorizationHeader:
            prefix: APIKEY
    response:
      success:
        dynamicMetadata:
          identity:
            json:
              properties:
                userid:
                  selector: auth.identity.metadata.annotations.secret\\.kuadrant\\.io/user-id
---
apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: toystore
  namespace: default
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
    authentication:
      api-key-users:
        apiKey:
          selector:
            matchLabels:
              app: toystore
          allNamespaces: true
        credentials:
          authorizationHeader:
            prefix: TOYSTORE
    response:
      success:
        dynamicMetadata:
          identity:
            json:
              properties:
                userid:
                  selector: auth.identity.metadata.annotations.secret\\.kuadrant\\.io/user-id
" | kubectl apply -f -

Deploy the Gateway:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gw-1
  namespace: istio-system
  annotations:
    kuadrant.io/namespace: kuadrant-system
    networking.istio.io/service-type: ClusterIP
spec:
  gatewayClassName: istio
  listeners:
    - name: apis
      port: 80
      protocol: HTTP
      hostname: '*.io'
      allowedRoutes:
        namespaces:
          from: All
" | kubectl apply -f -

Create and Apply the Route:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
  namespace: default
spec:
  parentRefs:
  - name: gw-1
    namespace: istio-system
  hostnames:
  - api.toystore.io
  rules:
  - matches:
    - path:
        type: Exact
        value: /toy
      method: GET
    backendRefs:
    - name: toystore
      port: 80
" | kubectl apply -f -

Check the Status of 'AuthPolicy' resources:
kubectl get authpolicy -A
Detailed status Verification:
kubectl get authpolicy -n istio-system gw-1 -o yaml
kubectl get authpolicy -n default toystore -o yaml
Check events for AuthPolicies:
kubectl describe authpolicy -n istio-system gw-1
kubectl describe authpolicy -n default toystore
Should output both of these for each auth-policy

    Target Ref:
    Group:  gateway.networking.k8s.io
    Kind:   Gateway
    Name:   gw-1

    Target Ref:
    Group:  gateway.networking.k8s.io
    Kind:   HTTPRoute
    Name:   toystore

- Added TargetRef to AuthPolicy to specify the target reference. - Replaced the gateway object with the gateway wrapped inside the gatewayWrapper. - Fixed various errors and improved code formatting. - Resolved issues with Istio integration tests. This commit consolidates multiple changes made during the development process, improving the stability and functionality of the AuthPolicy controller and related tests.

tests/istio/authpolicy_controller_authorizationpolicy_test.go

KevFan

Followed user guide https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/user-guides/auth-for-app-devs-and-platform-engineers.md and was working as expected 👍

Also checked the target ref of the AuthorizationPolicies

eguzki · 2024-06-14T12:36:32Z

You need to rebase on top of latest main. That should fix the integration test failing issue

…- Added TargetRef to AuthPolicy to specify the target reference. - Replaced the gateway object with the gateway wrapped inside the gatewayWrapper. - Fixed various errors and improved code formatting. - Resolved issues with Istio integration tests. This commit consolidates multiple changes made during the development process, improving the stability and functionality of the AuthPolicy controller and related tests.

dlaw4608 requested a review from a team as a code owner June 6, 2024 11:31

dlaw4608 marked this pull request as draft June 6, 2024 11:31

dlaw4608 assigned KevFan and dlaw4608 and unassigned KevFan and dlaw4608 Jun 6, 2024

dlaw4608 force-pushed the targetRef branch from f1fc80c to 6ad0982 Compare June 11, 2024 13:08

dlaw4608 marked this pull request as ready for review June 11, 2024 16:38

dlaw4608 requested a review from KevFan June 12, 2024 10:31

KevFan added kind/enhancement New feature or request good first issue Good for newcomers size/small labels Jun 12, 2024

KevFan reviewed Jun 12, 2024

View reviewed changes

tests/istio/authpolicy_controller_authorizationpolicy_test.go Outdated Show resolved Hide resolved

KevFan approved these changes Jun 13, 2024

View reviewed changes

eguzki approved these changes Jun 13, 2024

View reviewed changes

dlaw4608 force-pushed the targetRef branch from 80c1af2 to a4d7ece Compare June 17, 2024 10:03

dlaw4608 merged commit d2e301b into Kuadrant:main Jun 17, 2024
18 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Target ref #691

Target ref #691

dlaw4608 commented Jun 6, 2024 •

edited

Loading

KevFan left a comment

eguzki commented Jun 14, 2024 •

edited

Loading

Target ref #691

Target ref #691

Conversation

dlaw4608 commented Jun 6, 2024 • edited Loading

Using PolicyTargetReference instead of Selector for authpolicy_controller

Verification Steps

KevFan left a comment

Choose a reason for hiding this comment

eguzki commented Jun 14, 2024 • edited Loading

dlaw4608 commented Jun 6, 2024 •

edited

Loading

eguzki commented Jun 14, 2024 •

edited

Loading