-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dependencies namespace propagation #109
Conversation
3cfbeb0
to
4d451fc
Compare
4757c9e
to
ecd20c2
Compare
ecd20c2
to
4f94832
Compare
NamespaceSeparator = '/' | ||
LimitadorName = "limitador" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you mean to remove the ability to redefine this thru a environment variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I could rollback to env var with default too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just thought if there's only one limitador and authorino per kuadrant, there was no need to make a difference
@@ -142,6 +141,10 @@ func (r *KuadrantReconciler) Reconcile(eventCtx context.Context, req ctrl.Reques | |||
} | |||
} | |||
|
|||
if gwErr := r.reconcileClusterGateways(ctx, kObj); gwErr != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What drove this? This is new, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is basically the key step to communicate the Kuadrant instance namespace to the policies. It will annotate the Gateways with its namespace, thus the policies, who knows about the GW or at least the HTTPRoute pointing to the Gateway will have access to this annotation
Also, if I read this right, limitador now has to be in the kuadrant ns... this hadn't to be the case before, or was it? |
Previously it was the same, limitador and authorino were installed in the hardcoded |
I'll merge, then I could do a following PR addressing any future comments |
This PR aims to solve the limitation introduced by #48. Noting that this will not be the final behaviour since a RFC is still being defined.
Closes #69
Addresses partially #56
A few considerations and limitations adopted:
Diagram of how everything will be setup in the verification steps:
Namespaces
Verification Steps:
kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 &
curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
It should return a
200
Bob
andAlice
AuthPolicy
to configure API key based authenticationcurl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
It should return a
401 Unauthorized
You should be able to use either Alice or Bob API Key like:
Bob
Alice
Only 2 requests every 10 allowed for Bob.
Only 5 requests every 10 allowed for Alice.