Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio external authorizer available not only for IstioOperator #192

Merged
merged 10 commits into from
Jul 5, 2023
Merged

Istio external authorizer available not only for IstioOperator #192

merged 10 commits into from
Jul 5, 2023

Conversation

didierofrivia
Copy link
Collaborator

@didierofrivia didierofrivia commented May 23, 2023
edited
Loading

This PR aims to fix the registration of our Authorino as an external authorizer using Istio when it's not installed via its Operator.

Closes #168

Notes

  • Reconciles also the Istio ConfigMap with the external authorizers
  • If the IstioOperator CR returns an error, it continues reconciling CM

Verification Steps

❶ Create a cluster with Gateway API and Istio:

make kind-create-cluster gateway-api-install istioctl
./bin/istioctl install -f config/dependencies/istio/istio-operator.yaml
make deploy-gateway

❷ Deploy Kuadrant dependencies and a local build, then apply its CR:

Create the namespace for kuadrant control plane

kubectl create namespace kuadrant-system

Then install dependencies and a local kuadrant image

make deploy-dependencies local-deploy

Then apply Kuadrant CR

kubectl -n kuadrant-system apply -f - <<EOF
---
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec: {}
EOF

❸ Apply toystore example service and create an HTTPRoute

kubectl apply -f examples/toystore/toystore.yaml
kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
      backendRefs:
        - name: toystore
          port: 80
EOF

❹ Create API Key as Secrets for user Bob

kubectl apply -f -<<EOF
---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    secret.kuadrant.io/user-id: bob
  name: bob-key
  labels:
    authorino.kuadrant.io/managed-by: authorino
    app: toystore
stringData:
  api_key: IAMBOB
type: Opaque
EOF

❺ Apply Authorino AuthPolicy

kubectl apply -f - <<EOF
---
apiVersion: kuadrant.io/v1beta1
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
  - paths: ["/toy*"]
  authScheme:
    identity:
    - name: friends
      apiKey:
        allNamespaces: true
        selector:
          matchLabels:
            app: toystore
      credentials:
        in: authorization_header
        keySelector: APIKEY
    response:
    - json:
        properties:
          - name: userID
            value: null
            valueFrom:
              authJSON: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
      name: rate-limit-apikey
      wrapper: envoyDynamicMetadata
      wrapperKey: ext_auth_data
EOF

❻ Send requests:

curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy # 401
curl -v -H 'Authorization: APIKEY IAMBOB' -H 'Host: api.toystore.com' http://localhost:9080/toy # 200

TODO:

  • Update the unregister function with the new functionality
  • Refactor the istio functions into pkg/common
  • Tests
  • Verification steps

didierofrivia
didierofrivia commented May 29, 2023
View reviewed changes
Makefile Show resolved Hide resolved
@didierofrivia didierofrivia marked this pull request as ready for review May 29, 2023 23:34
@didierofrivia didierofrivia requested a review from a team as a code owner May 29, 2023 23:34
@didierofrivia didierofrivia self-assigned this May 29, 2023
@didierofrivia didierofrivia force-pushed the istio-install-fix branch 2 times, most recently from fbf8b2e to cc37f84 Compare June 21, 2023 14:44
@didierofrivia
[istio] Updating registerIstioExternalAuthorizer
342f7cc 
* Reconciles also the Istio ConfigMap with the external authorizers
* If the IstioOperator CR returns an error, it continues reconciling CM
@didierofrivia
[istio] Updating the unregisterExternalAuthorizerIstio
69b1392 
* With the new functionality
@didierofrivia
[mesh config] Refactoring and testing mesh config functionality
ca852c8
@didierofrivia
[makefile] Splitting local deploy in different target
b702ff9
@didierofrivia
[istio] Refactoring using wrapper structs
3294708
@didierofrivia
[go] Fixing dependencies
e7d3a9e
@didierofrivia
[mesh config] Refactoring mesh config objects and fns
b6931dd
@didierofrivia
[controller] Fixing registering logic
ffd9d15 
* Still relying on the istio CRD being installed. If not, means no istio
* If it's 404, means it's installed other way than it's operator
* If any other error happens, istio is installed, but an error occurred
guicassolato
guicassolato reviewed Jul 4, 2023
View reviewed changes
controllers/kuadrant_controller.go
logger, _ := logr.FromContext(ctx)

err := r.unregisterExternalAuthorizerIstio(ctx)
isIstioInstalled, err := r.unregisterExternalAuthorizerIstio(ctx, kObj)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe in a next iteration unregisterExternalAuthorizerIstio and unregisterExternalAuthorizerOSSM can become one, and similarly registerExternalAuthorizerIstio and registerExternalAuthorizerOSSM. Fundamentally, and given the new abstractions now introduced with this PR, these pairs of functions are not very different between them – if any different at all.

getIstioConfigObjects could become simply getConfigObjects (or perhaps getGatewayProviderConfigObjects to be more literal with the name), and return all gateway provider config objects that need to be patched.

Istio or OSSM, it doesn't really matter. In the end, it all reduces to iterating over all configs, passing them into the calls to common.UnregisterKuadrantAuthorizer and common.RegisterKuadrantAuthorizer. Thanks to this PR, the details of how to patch each kind of config is decoupled from the caller, but abstracted by each config wrapper itself.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes total sense now, I'll keep in mind this for the next refactor, that most possibly will be the plugin way of using GWs

guicassolato
guicassolato approved these changes Jul 4, 2023
View reviewed changes
Copy link
Contributor

@guicassolato guicassolato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job @didierofrivia!

I've left a couple additional comments, which, if you agree, can be addressed in this PR still or in another iteration.

Verification steps succeeded. Additionally, after step ❷:

❯ kubectl get istiooperator/installed-state-istiocontrolplane -n istio-system -o yaml | grep authorino
❯ kubectl get configmap/istio -n istio-system -o yaml | grep authorino
        service: authorino-authorino-authorization.kuadrant-system.svc.cluster.local

@didierofrivia didierofrivia merged commit 84d9311 into main Jul 5, 2023
18 checks passed
@didierofrivia didierofrivia deleted the istio-install-fix branch July 5, 2023 12:26
@guicassolato guicassolato mentioned this pull request Jun 3, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guicassolato guicassolato guicassolato approved these changes

@eguzki eguzki Awaiting requested review from eguzki

@alexsnaps alexsnaps Awaiting requested review from alexsnaps

@art-tapin art-tapin Awaiting requested review from art-tapin

Assignees

@didierofrivia didierofrivia

Labels
None yet
Projects
No open projects
Kuadrant Service Protection
Status: To test
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update to remove the need to install istio via the istio operator
2 participants
@didierofrivia @guicassolato