Based on accepted API proposal and POC covering technical details introduce new version of APIRule CRD. Introduced version will not be stored version. Users still have possibility to create v1beta1, that is still stored version.
New v1beta2 version should introduce 2 handlers: noAuth and JWT. noAuth handler is already released with v1beta1, so conversion is possible both ways. Also logic of noAuth is no different. JWT also exists in v1beta1 version but logic is based on ORY Oathkeeper. in v1beta2 logic behind JWT should be purely Istio based.
In case of Istio based JWT additional validation should be implemented enforcing sidecar injection on a workload.
We decided to have v1beta1 as storage version having preserveUnknownFields for v1beta2 spec fields. We keep v1beta2 clean without preserveUnknownFields. After customer manually adapted all APIRules we switch storage version. Migration step will be needed before dropping v1beta1.
Open questions to consider:
[x] think about if we introduce conversion webhook as in separate container and not integrated into the operator like previously
[x] think about if there is better solution for handling certificate needed than previously with the cronjob
TODOs:
@werdes72
[x] api/v1beta2
[x] conversion functions
[x] unit tests
[x] annotation should default jwt handler to istio
[x] review refinements
[x] CEL validation
@videlov
[x] implement solution for certificates generation/renewal integrated into the api-gateway operator
[x] discuss in team and get feedback
[x] add unit tests
[x] add envtest - not needed reconciliation functionality is fully tested with a unit-test and fake client, may introduce in the future
[x] refactor conversion a bit
[x] prepare integration test for v1beta1/v1beta2 conversion (ensure conversion is working)
[x] support implementation on v1beta2 reconciliation flow - we will take on this in the next sprint since bigger refactoring is needed, for now we use the v1beta2 annotation to enable Istio-based JWT independent from the ConfigMap
[x] review refinements
[x] documentation for new controller
[x] implement/workaround creating of certificate before operator manager starts - did not work out
[x] ADR for Certificate controller
[x] clarify initial certificate in module manifest with @TorstenD-SAP
[x] introduce init-container for handling initialising certificate before manager container starts
[x] workaround issue with immutable manifest and KLM apply strategy - https://sap-btp.slack.com/archives/C042CAZDZDX/p1715155956516309 - work with dynamic secret created in init-container and impl cert getter in the secret reconciler to replace file cert watcher
[x] add envtest integration test for init-container initialisation functions
[x] cover deletion for the certificate secret with an owner ref to api-gateway-controller-manager deployment
ACs:
[x] APIRule v1beta2 introduced
[x] noAuth handler present
[x] Istio JWT handler executed only on v1beta2
[x] ORY Oathkeeper JWT handler executed only on v1beta1
[x] JWT feature toggle stays unchanged
[x] integration test added / updated
[x] v1beta2 spec documented
Reasons
Introduction of stable APIRule
DoD:
[x] Provide unit and integration tests.
[x] Provide documentation.
[x] Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
[x] If you changed the resource limits, explain why it was needed.
[x] Verify that your contributions don't decrease code coverage. If they do, explain why this is the case.
Description
Based on accepted API proposal and POC covering technical details introduce new version of APIRule CRD. Introduced version will not be stored version. Users still have possibility to create v1beta1, that is still stored version.
New v1beta2 version should introduce 2 handlers: noAuth and JWT. noAuth handler is already released with v1beta1, so conversion is possible both ways. Also logic of noAuth is no different. JWT also exists in v1beta1 version but logic is based on ORY Oathkeeper. in v1beta2 logic behind JWT should be purely Istio based.
In case of Istio based JWT additional validation should be implemented enforcing sidecar injection on a workload.
We decided to have v1beta1 as storage version having
preserveUnknownFieldsfor v1beta2 spec fields. We keep v1beta2 clean withoutpreserveUnknownFields. After customer manually adapted all APIRules we switch storage version. Migration step will be needed before dropping v1beta1.Open questions to consider:
TODOs: @werdes72
@videlov
add envtest- not needed reconciliation functionality is fully tested with a unit-test and fake client, may introduce in the futuresupport implementation on v1beta2 reconciliation flow- we will take on this in the next sprint since bigger refactoring is needed, for now we use the v1beta2 annotation to enable Istio-based JWT independent from the ConfigMapimplement/workaround creating of certificate before operator manager starts- did not work outACs:
Reasons
Introduction of stable APIRule
DoD:
Attachments part of: https://github.com/kyma-project/api-gateway/issues/939 https://github.com/kyma-project/api-gateway/issues/940 https://github.com/kyma-project/api-gateway/issues/970
PRs: