diff --git a/Makefile b/Makefile index c4be89089..09002a0f6 100644 --- a/Makefile +++ b/Makefile @@ -284,7 +284,7 @@ local-deploy: ## Deploy Kuadrant Operator in the cluster pointed by KUBECONFIG kubectl -n $(KUADRANT_NAMESPACE) wait --timeout=300s --for=condition=Available deployments --all @echo @echo "Now you can export the kuadrant gateway by doing:" - @echo "kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 &" + @echo "kubectl port-forward -n istio-system service/istio-ingressgateway-istio 9080:80 &" @echo "after that, you can curl -H \"Host: myhost.com\" localhost:9080" @echo "-- Linux only -- Ingress gateway is exported using nodePort service in port 9080" @echo "curl -H \"Host: myhost.com\" localhost:9080" diff --git a/doc/user-guides/auth-for-app-devs-and-platform-engineers.md b/doc/user-guides/auth-for-app-devs-and-platform-engineers.md index 3e736a00e..b7a0070c6 100644 --- a/doc/user-guides/auth-for-app-devs-and-platform-engineers.md +++ b/doc/user-guides/auth-for-app-devs-and-platform-engineers.md @@ -110,20 +110,28 @@ spec: EOF ``` +Export the gateway hostname and port: + +```sh +export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}') +export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +``` + Send requests to the application unprotected: ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/cars -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i # HTTP/1.1 200 OK ``` ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/dolls -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/dolls -i # HTTP/1.1 200 OK ``` ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/admin -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/admin -i # HTTP/1.1 200 OK ``` @@ -199,22 +207,22 @@ EOF Send requests to the application protected by Kuadrant: ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/cars -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i # HTTP/1.1 401 Unauthorized ``` ```sh -curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://localhost:9080/cars -i +curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/cars -i # HTTP/1.1 200 OK ``` ```sh -curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://localhost:9080/admin -i +curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/admin -i # HTTP/1.1 403 Forbidden ``` ```sh -curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://localhost:9080/admin -i +curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$GATEWAY_URL/admin -i # HTTP/1.1 200 OK ``` @@ -274,7 +282,7 @@ EOF Send requests to the route protected by the default policy set at the level of the gateway: ```sh -curl -H 'Host: foo.other-apps.com' http://localhost:9080/ -i +curl -H 'Host: foo.other-apps.com' http://$GATEWAY_URL/ -i # HTTP/1.1 403 Forbidden ``` diff --git a/doc/user-guides/authenticated-rl-for-app-developers.md b/doc/user-guides/authenticated-rl-for-app-developers.md index e0e22b83f..6c4305829 100644 --- a/doc/user-guides/authenticated-rl-for-app-developers.md +++ b/doc/user-guides/authenticated-rl-for-app-developers.md @@ -86,17 +86,27 @@ spec: EOF ``` +Export the gateway hostname and port: + +```sh +export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}') +export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +``` + Verify the route works: ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 200 OK ``` -> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service: +> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing locally: > > ```sh > kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null & +> curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +> # HTTP/1.1 200 OK > ``` ### ③ Enforce authentication on requests to the Toy Store API @@ -139,7 +149,7 @@ EOF Verify the authentication works by sending a request to the Toy Store API without API key: ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 401 Unauthorized # www-authenticate: APIKEY realm="api-key-users" # x-ext-auth-reason: "credential not found" @@ -225,13 +235,13 @@ Verify the rate limiting works by sending requests as Alice and Bob. Up to 5 successful (`200 OK`) requests every 10 seconds allowed for Alice, then `429 Too Many Requests`: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done ``` Up to 2 successful (`200 OK`) requests every 10 seconds allowed for Bob, then `429 Too Many Requests`: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done ``` ## Cleanup diff --git a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md index c4844c649..fe263c26d 100644 --- a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md +++ b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md @@ -82,17 +82,27 @@ kubectl apply -f examples/toystore/httproute.yaml #### Try the API unprotected +Export the gateway hostname and port: + +```sh +export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}') +export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +``` + ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 200 OK ``` It should return `200 OK`. -> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service: +> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost: > > ```sh > kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null & +> curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +> # HTTP/1.1 200 OK > ``` ### ③ Deploy Keycloak @@ -157,7 +167,7 @@ EOF #### Try the API missing authentication ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 401 Unauthorized # www-authenticate: Bearer realm="keycloak-users" # www-authenticate: Bearer realm="k8s-service-accounts" @@ -175,7 +185,7 @@ ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlim Send a request to the API as the Keycloak-authenticated user while still missing permissions: ```sh -curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 403 Forbidden ``` @@ -199,7 +209,7 @@ SA_TOKEN=$(kubectl create token client-app-1) Send a request to the API as the service account while still missing permissions: ```sh -curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 403 Forbidden ``` @@ -281,24 +291,24 @@ EOF Send requests to the API as the Keycloak-authenticated user: ```sh -curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 200 OK ``` ```sh -curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' -X POST http://localhost:9080/admin/toy -i +curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' -X POST http://$GATEWAY_URL/admin/toy -i # HTTP/1.1 200 OK ``` Send requests to the API as the Kubernetes service account: ```sh -curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i +curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i # HTTP/1.1 200 OK ``` ```sh -curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' -X POST http://localhost:9080/admin/toy -i +curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' -X POST http://$GATEWAY_URL/admin/toy -i # HTTP/1.1 403 Forbidden ``` @@ -339,13 +349,13 @@ Each user should be entitled to a maximum of 5 requests every 10 seconds. Send requests as the Keycloak-authenticated user: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done ``` Send requests as the Kubernetes service account: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done ``` ## Cleanup diff --git a/doc/user-guides/gateway-dns.md b/doc/user-guides/gateway-dns.md index 4b20e46dd..361a10bb5 100644 --- a/doc/user-guides/gateway-dns.md +++ b/doc/user-guides/gateway-dns.md @@ -31,11 +31,6 @@ Deploy policy controller and install DNSPolicy CRD: make deploy-policy-controller ``` -Install metallb: -```shell -make install-metallb -``` - Create a namespace: ```shell kubectl create namespace my-gateways diff --git a/doc/user-guides/gateway-rl-for-cluster-operators.md b/doc/user-guides/gateway-rl-for-cluster-operators.md index 000b8399e..df70cbe9c 100644 --- a/doc/user-guides/gateway-rl-for-cluster-operators.md +++ b/doc/user-guides/gateway-rl-for-cluster-operators.md @@ -188,13 +188,13 @@ kubectl port-forward -n istio-system service/internal-istio 9082:80 2>&1 >/dev/n Up to 5 successful (`200 OK`) requests every 10 seconds through the `external` ingress gateway (`*.io`), then `429 Too Many Requests`: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.io' http://localhost:9081 | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.io' http://localhost:9081 | grep -E --color "\b(429)\b|$"; sleep 1; done ``` Unlimited successful (`200 OK`) through the `internal` ingress gateway (`*.local`): ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.local' http://localhost:9082 | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.local' http://localhost:9082 | grep -E --color "\b(429)\b|$"; sleep 1; done ``` ## Cleanup diff --git a/doc/user-guides/gateway-tls.md b/doc/user-guides/gateway-tls.md index 9e38d2344..3e9a7245a 100644 --- a/doc/user-guides/gateway-tls.md +++ b/doc/user-guides/gateway-tls.md @@ -30,11 +30,6 @@ Deploy policy controller and install TLSPolicy CRD: make deploy-policy-controller ``` -Install metallb: -```shell -make install-metallb -``` - Create a namespace: ```shell kubectl create namespace my-gateways diff --git a/doc/user-guides/simple-rl-for-app-developers.md b/doc/user-guides/simple-rl-for-app-developers.md index c3f0df999..c2bf7c59f 100644 --- a/doc/user-guides/simple-rl-for-app-developers.md +++ b/doc/user-guides/simple-rl-for-app-developers.md @@ -87,10 +87,18 @@ spec: EOF ``` +Export the gateway hostname and port: + +```sh +export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}') +export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +``` + Verify the route works: ```sh -curl -H 'Host: api.toystore.com' http://localhost:9080/toys -i +curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i # HTTP/1.1 200 OK ``` @@ -141,13 +149,13 @@ Verify the rate limiting works by sending requests in a loop. Up to 5 successful (`200 OK`) requests every 10 seconds to `POST /toys`, then `429 Too Many Requests`: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys -X POST | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -X POST | grep -E --color "\b(429)\b|$"; sleep 1; done ``` Unlimited successful (`200 OK`) to `GET /toys`: ```sh -while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys | grep -E --color "\b(429)\b|$"; sleep 1; done ``` ## Cleanup