search

Kuadrant / kuadrant-controller

Apache License 2.0
12 stars 7 forks source link

AuthPolicy: remove hosts from authscheme #217

Open eguzki opened 2 years ago

eguzki commented 2 years ago

what

Fixes https://github.com/Kuadrant/kuadrant-operator/issues/97

verification steps

Setup env

make local-setup

Create HTTPRoute for *.toystore.com

kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
      backendRefs:
        - name: toystore
          port: 80
EOF

Create a kuadrant AuthPolicy in which one of the rules the hosts field is missing

kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
  - hosts: ["*.admin.toystore.com"]
    methods: ["DELETE", "POST"]
    paths: ["/admin*"]
  - methods: ["DELETE", "POST"]
    paths: ["/private*"]
  authScheme:
    identity:
    - name: friends
      apiKey:
        selector:
          matchLabels:        
            group: friends
      credentials:
        in: authorization_header
        keySelector: APIKEY
EOF

Check that the authconfig object's hosts is set to the route's hostnames

k get authconfig ap-default-toystore -n kuadrant-system  -o jsonpath='{.spec.hosts}'
["*.toystore.com"]

Check that the Istio's authorizationpolicy's rules' hosts all fall under route's hostnames

k get authorizationpolicy on-istio-ingressgateway-using-toystore -n istio-system -o yaml | yq e -P
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  creationTimestamp: "2022-09-27T15:26:18Z"
  generation: 1
  name: on-istio-ingressgateway-using-toystore
  namespace: istio-system
  resourceVersion: "8945"
  uid: 353aa299-97a9-4459-a293-20d03d1185d3
spec:
  action: CUSTOM
  provider:
    name: kuadrant-authorization
  rules:
    - to:
        - operation:
            hosts:
              - '*.admin.toystore.com'
            methods:
              - DELETE
              - POST
            paths:
              - /admin*
        - operation:
            hosts:
              - '*.toystore.com'
            methods:
              - DELETE
              - POST
            paths:
              - /private*
  selector: {}