Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconciliation of individual API key secrets within an AuthConfig #297

Merged
merged 2 commits into from
Jun 7, 2022
Merged

Reconciliation of individual API key secrets within an AuthConfig #297

merged 2 commits into from
Jun 7, 2022

Conversation

guicassolato
Copy link
Collaborator

Avoids reconciling the entire AuthConfig whenever a new API Key secret is reconciled.

Ensures that API keys secrets are added, updated or removed individually in the cache of each AuthConfig where it applies, reflecting the corresponding operations of creating/updating/deleting Kubernetes Secrets, including modification in the labels of the Secret.

Closes #264

Verification steps

Build and deploy:

make local-setup FF=1
kubectl -n authorino port-forward deployment/envoy 8000:8000 &

Create an AuthConfig:

kubectl -n authorino apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
  - talker-api-authorino.127.0.0.1.nip.io
  - talker-api.io
  identity:
  - name: friends
    apiKey:
      labelSelectors:
        group: friends
    credentials:
      in: authorization_header
      keySelector: APIKEY
EOF

Check the API is not yet accessible before creating the API key:

curl -H 'Authorization: APIKEY secret' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello -i
# 401
curl -H 'Authorization: APIKEY secret' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello -i -H 'Host: talker-api.io'
# 401

For every iteration involving modifying an API key Secret below, send requests to the API on the different host names.

Create an API key:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: secret
type: Opaque
EOF

Modify the vaue of the API key:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: new-secret
type: Opaque
EOF

Remove the API key secret from teh scope of the AuthConfig:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
stringData:
  api_key: new-secret
type: Opaque
EOF

Add the API key back again to the scope of the AuthConfig:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: new-secret
type: Opaque
EOF

Remove the API key from the scope of Authorino:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    group: friends
stringData:
  api_key: new-secret
type: Opaque
EOF

Add the API key back to the scope of Authorino:

kubectl -n authorino apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-key-1
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: new-secret
type: Opaque
EOF

Delete the Api key:

kubectl -n authorino delete secret/api-key-1

@guicassolato guicassolato self-assigned this Jun 3, 2022
@guicassolato guicassolato marked this pull request as ready for review June 3, 2022 07:50
@guicassolato guicassolato requested a review from a team June 3, 2022 07:51
@guicassolato guicassolato merged commit 3085d05 into main Jun 7, 2022
@guicassolato guicassolato deleted the api-key-reconcile branch June 7, 2022 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees

@guicassolato guicassolato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reconciliation events on API key secrets reload the entire AuthConfig
2 participants
@guicassolato @eguzki