837 new policies

Makefile

@@ -159,7 +159,7 @@ docker-build: ## Build docker image with the manager.
 		--tag kubeshop/kusk-gateway:$(shell git describe --tags $(shell git rev-list --tags --max-count=1)) \
 		--file ./build/manager/Dockerfile \
 		.
-	minikube image --profile kgw load kubeshop/kusk-gateway:$(shell git describe --tags $(shell git rev-list --tags --max-count=1))
+	minikube image --profile kgw load kubeshop/kusk-gateway:$(shell git describe --tags $(shell git rev-list --tags --max-count=1)) 
 
 ##@ Deployment
 

config/default/kustomization.yaml

@@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../crd
-- ../rbac
-- ../manager
-- ../webhook
+  - ../crd
+  - ../rbac
+  - ../manager
+  - ../webhook
 
 # Adds namespace to all resources.
 namespace: kusk-system
@@ -22,8 +22,8 @@ commonLabels:
   app.kubernetes.io/name: kusk-gateway
 
 patchesStrategicMerge:
-- manager_auth_proxy_patch.yaml
-- manager_webhook_patch.yaml
+  - manager_auth_proxy_patch.yaml
+  - manager_webhook_patch.yaml
 
 images:
 - name: kusk-gateway

config/samples/gateway_v1_api.yaml

@@ -43,7 +43,7 @@ spec:
           description: Find out more about our store
           url: 'http://swagger.io'
     x-kusk:
-      disabled: false
+      hidden: false
       cors:
         origins:
         - "*"
@@ -72,10 +72,10 @@ spec:
     paths:
       /pet:
         x-kusk:
-          disabled: true
+          hidden: true
         post:
           x-kusk:
-            disabled: false
+            hidden: false
             upstream:
               host:
                 hostname: petstore1.default1.svc.cluster.local
@@ -196,7 +196,7 @@ spec:
       '/pet/{petId}':
         get:
           x-kusk:
-            disabled: false
+            hidden: false
             cors:
               origins:
               - "http://example.com"

development/petshop-openapi-short-with-kusk-and-mock.yaml

@@ -36,7 +36,7 @@ x-kusk:
   hosts: 
   - "*"
   - "example.org"
-  disabled: false
+  hidden: false
   cors:
     origins:
     - "*"
@@ -64,10 +64,10 @@ x-kusk:
 paths:
   /pet:
     x-kusk:
-      disabled: true
+      hidden: true
     post:
       x-kusk:
-        disabled: false
+        hidden: false
         host:
           hostname: petstore1.default1.svc.cluster.local
           port: 8080
@@ -240,7 +240,7 @@ paths:
     # This paths is mocked!
     get:
       x-kusk:
-        disabled: false
+        hidden: false
         # Routing to mocking here
         upstream:
           service:

development/petshop-openapi-short-with-kusk.yaml

@@ -36,7 +36,7 @@ x-kusk:
   hosts: 
   - "*"
   - "example.org"
-  disabled: false
+  hidden: false
   cors:
     origins:
     - "*"
@@ -64,10 +64,10 @@ x-kusk:
 paths:
   /pet:
     x-kusk:
-      disabled: true
+      hidden: true
     post:
       x-kusk:
-        disabled: false
+        hidden: false
         upstream:
           host:
             hostname: petstore1.default1.svc.cluster.local
@@ -240,7 +240,7 @@ paths:
   '/pet/{petId}':
     get:
       x-kusk:
-        disabled: false
+        hidden: false
         cors:
           origins:
           - "http://example.com"

development/testing/manifests/api-second.yaml

@@ -15,7 +15,7 @@ spec:
       version: 1.0.0
     x-kusk:
       hosts: [ "example.org"]
-      disabled: true
+      hidden: true
       cors:
         origins:
           - 'http://example.org'
@@ -43,7 +43,7 @@ spec:
         get:
           # All GET are redirected to usual API with the rewrite (/second/todos/2 -> /testing/todos/2)
           x-kusk:
-            disabled: false
+            hidden: false
             redirect:
               host_redirect: "example.com"
               rewrite_regex:
@@ -200,7 +200,7 @@ spec:
         get:
           # Enable only GET
           x-kusk:
-            disabled: false
+            hidden: false
           responses:
             '200':
               description: The full list of todos
@@ -297,7 +297,7 @@ spec:
             - Todo
         delete:
           x-kusk:
-            disabled: true
+            hidden: true
           responses:
             '200':
               description: ''

docs/docs/extension.md

@@ -348,9 +348,8 @@ The `auth` object contains the following properties to configure HTTP authentica
 x-kusk:
 ...
   auth:
-    scheme: basic
-    path_prefix: /login # optional
-    auth-upstream:
+    custom:
+      path_prefix: /login # optional
       host:
         hostname: example.com
         port: 80
@@ -366,8 +365,7 @@ Check the [Custom Upstream auth guide](./guides/authentication/custom-auth-upstr
 x-kusk:
 ...
   auth:
-    scheme: cloudentity
-    auth-upstream:
+    cloudentity:
       host:
         hostname: cloudentity-authorizer-standalone-authorizer.kusk-system
         port: 9004

docs/docs/guides/authentication/cloudentity.md

@@ -52,8 +52,8 @@ x-kusk:
   mocking:
     enabled: true
   auth:
-    scheme: cloudentity
-    auth-upstream:
+
+    cloudentity:
       host:
         hostname: cloudentity-authorizer-standalone-authorizer.kusk-system # default authorizer service, change in case your authorizer is installed differently
         port: 9004

docs/docs/guides/authentication/custom-auth-upstream.md

@@ -15,8 +15,7 @@ info:
   version: 0.1.0
 x-kusk:
   auth:
-    scheme: basic
-    auth-upstream:
+    custom:
       host:
         hostname: auth-upstream-svc.default
         port:8080
@@ -37,8 +36,7 @@ paths:
     get:
       operationId: getHello
       auth:
-        scheme: basic
-        auth-upstream:
+        custom:
           host:
             hostname: auth-upstream-svc.default
             port:8080

examples/auth/cloudentity/example-1/api.yaml

@@ -23,8 +23,7 @@ spec:
           namespace: default
           port: 80
       auth:
-        scheme: cloudentity
-        auth-upstream:
+        cloudentity
           host:
             hostname: cloudentity-authorizer-standalone-authorizer.kusk-system
             port: 9004

examples/auth/cloudentity/example-1/openapi.yaml

@@ -13,8 +13,7 @@ x-kusk:
       namespace: kusk-system
       port: 80
   auth:
-    scheme: cloudentity
-    auth-upstream:
+    cloudentity:
       host:
         hostname: cloudentity-authorizer-standalone-authorizer.kusk-system
         port: 9004

examples/auth/oauth2/authorization-code-grant-root-disabled/api.yaml

@@ -22,8 +22,7 @@ spec:
           name: auth-oauth2-oauth0-authorization-code-grant-go-httpbin
           namespace: default
           port: 80
-      auth:
-        scheme: oauth2
+      auth:        
         oauth2:
           token_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/oauth/token
           authorization_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/authorize

examples/auth/oauth2/authorization-code-grant/api.yaml

@@ -22,8 +22,7 @@ spec:
           name: auth-oauth2-oauth0-authorization-code-grant-go-httpbin
           namespace: default
           port: 80
-      auth:
-        scheme: oauth2
+      auth:      
         oauth2:
           token_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/oauth/token
           authorization_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/authorize

examples/auth/oauth2/client-secret-ref/api.yaml

@@ -23,7 +23,6 @@ spec:
           namespace: default
           port: 80
       auth:
-        scheme: oauth2
         oauth2:
           token_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/oauth/token
           authorization_endpoint: https://kubeshop-kusk-gateway-oauth2.eu.auth0.com/authorize

examples/ext-authz/basic-auth/basic-auth-api.yaml

@@ -19,8 +19,7 @@ spec:
     - https
     x-kusk:
       auth:
-        scheme: basic
-        auth-upstream:
+        custom:
           host:
             hostname: ext-authz-http-basic-auth
             port: 80

examples/ext-authz/http-basic-auth/api.yaml

@@ -19,8 +19,7 @@ spec:
     - https
     x-kusk:
       auth:
-        scheme: basic
-        auth-upstream:
+        custom:
           host:
             hostname: ext-authz-http-basic-auth
             port: 80

examples/httpbin/httpbin_v1_api.yaml

@@ -111,7 +111,7 @@ spec:
       "/xml":
         # Disable this path for test
         x-kusk:
-          disabled: true
+          hidden: true
         get:
           description: Returns some XML.
           operationId: "/xml"

go.mod

@@ -48,7 +48,6 @@ require (
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/olekukonko/tablewriter v0.0.4 // indirect
 	github.com/russross/blackfriday v1.5.2 // indirect
 	k8s.io/component-helpers v0.25.0 // indirect
 	k8s.io/metrics v0.25.0 // indirect

go.sum

@@ -504,7 +504,6 @@ github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaO
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -554,8 +553,6 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/olekukonko/tablewriter v0.0.4 h1:vHD/YYe1Wolo78koG299f7V/VAS08c6IpCLn+Ejf/w8=
-github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=

internal/controllers/parser.go

@@ -110,7 +110,7 @@ func UpdateConfigFromAPIOpts(
 		for method, operation := range pathItem.Operations() {
 
 			finalOpts := opts.OperationFinalSubOptions[method+path]
-			if finalOpts.Disabled != nil && *finalOpts.Disabled {
+			if finalOpts.Hidden != nil && *finalOpts.Hidden {
 				continue
 			}
 
@@ -414,18 +414,18 @@ func UpdateConfigFromAPIOpts(
 		}
 	}
 
-	if opts.OpenAPIPath != "" {
+	if opts.PublicAPIPath != "" {
 		for _, vh := range opts.Hosts {
 			mockedRouteBuilder, err := mocking.NewRouteBuilder("application/json", &route.Route{})
 			if err != nil {
 				return fmt.Errorf("cannot build mocked route: %w", err)
 			}
 
-			if !strings.HasPrefix(opts.OpenAPIPath, "/") {
-				opts.OpenAPIPath = fmt.Sprintf("/%s", opts.OpenAPIPath)
+			if !strings.HasPrefix(opts.PublicAPIPath, "/") {
+				opts.PublicAPIPath = fmt.Sprintf("/%s", opts.PublicAPIPath)
 			}
 			openapiRt, err := mockedRouteBuilder.BuildMockedRoute(&mocking.BuildMockedRouteArgs{
-				RoutePath:      opts.OpenAPIPath,
+				RoutePath:      opts.PublicAPIPath,
 				Method:         "GET",
 				StatusCode:     uint32(200),
 				ExampleContent: parseSpec.PostProcessedDef(*spec, *opts),
@@ -441,12 +441,12 @@ func UpdateConfigFromAPIOpts(
 
 				perRouteAuth, err := auth.RouteAuthzDisabled()
 				if err != nil {
-					return fmt.Errorf("cannot create per-route config to disable authorization: openapi-path=%q, %w", opts.OpenAPIPath, err)
+					return fmt.Errorf("cannot create per-route config to disable authorization: public_api_path=%q, %w", opts.PublicAPIPath, err)
 				}
 
 				openapiRt.TypedPerFilterConfig[wellknown.HTTPExternalAuthorization] = perRouteAuth
 
-				logger.Info("disabled `auth` for route", "openapi-path", opts.OpenAPIPath, "vh", fmt.Sprintf("%q", string(vh)))
+				logger.Info("disabled `auth` for route", "public_api_path", opts.PublicAPIPath, "vh", fmt.Sprintf("%q", string(vh)))
 			}
 
 			if err := envoyConfiguration.AddRouteToVHost(string(vh), openapiRt); err != nil {

internal/envoy/auth/ext_authz_parser.go

@@ -33,9 +33,9 @@ import (
 	"github.com/kubeshop/kusk-gateway/pkg/options"
 )
 
-func ParseAuthUpstreamOptions(authUpstreamOptions *options.AuthUpstream, args *parseAuthOptionsArguments, scheme string) error {
-	upstreamServiceHost := authUpstreamOptions.Host.Hostname
-	upstreamServicePort := authUpstreamOptions.Host.Port
+func ParseAuthUpstreamOptions(pathPrefix string, host options.AuthUpstreamHost, args *parseAuthOptionsArguments, scheme string) error {
+	upstreamServiceHost := host.Hostname
+	upstreamServicePort := host.Port
 
 	clusterName := args.GenerateClusterName(upstreamServiceHost, upstreamServicePort)
 
@@ -71,11 +71,6 @@ func ParseAuthUpstreamOptions(authUpstreamOptions *options.AuthUpstream, args *p
 		)
 	}
 
-	pathPrefix := ""
-	if authUpstreamOptions.PathPrefix != nil {
-		pathPrefix = *authUpstreamOptions.PathPrefix
-	}
-
 	typedConfig, err := NewFilterHTTPExternalAuthorization(
 		upstreamServiceHost,
 		upstreamServicePort,