Endless loop of reconciliation of AuthConfig

[guicassolato]

Some AuthPolicies can cause the operator to go into an endless loop of reconciliation of the corresponding AuthConfigs, where the operator detects a difference in the spec of the AuthConfig when comparing existing vs desired state, and thus updates the resource. Authorino picks up the change of generation, reconciles the resource, updates its status stanza, which triggers the operator again.

This issue was first described in #341, related to #303.

Example of "safe" AuthPolicy (i.e. does not activate the bug)

apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
    authentication:
      "api-key-authn":
        apiKey:
          selector: {}
        credentials:
          authorizationHeader:
            prefix: APIKEY
    authorization:
      "only-admins":
        opa:
          rego: |
            groups := split(object.get(input.auth.identity.metadata.annotations, "kuadrant.io/groups", ""), ",")
            allow { groups[_] == "admins" }
        routeSelectors:
        - matches:
          - path:
              type: PathPrefix
              value: "/admin"

Example of "unsafe" AuthPolicy (i.e. activates the bug)

apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
    metadata:
      foo:
        http:
          contentType: application/x-www-form-urlencoded
          headers:
            Accept:
              value: application/json
          method: GET
          url: http://toystore:3000