Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[authpolicy-v2] AuthPolicy v1beta2 (#249)
* AuthPolicy v1beta2 Defines new `v1beta2` version of the `AuthPolicy` CRD, based on Authorino's `AuthConfig/v1beta2`. Closes #247 Depends on Kuadrant/authorino#417, Kuadrant/authorino-operator#137 Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version Update AuthPolicy manifests based on latest AuthConfig v1beta2 changes Bump Authorino to latest (unreleased) version Bump Authorino to latest (unreleased) version * Bump Authorino Operator to v0.9.0 Closes #263 * Superseding of strict host subsets between AuthConfigs Enables [superseding of strict host subsets](https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md#avoiding-host-name-collision) in Authorino – i.e., set `SupersedingHostSubsets` to `true` in the Authorino CR. Closes #264. * Route selectors for the AuthPolicy * Merge the hostnames of HTTPRoute (direct or inherited from the Gateway) into all Istio AuthorizationPolicy rules that do not include hostnames already built from the route selectors, so we don't send a request to authorino for hosts that are not in the scope of the policy * AuthConfig with OR conditions between HTTPRouteMatches of a HTTPRouteRule and between HTTPRouteRules themselves * Fix reconciliation of gateway AuthPolicies Skips creation of Istio AuthorizationPolicies and Authorino AuthConfigs for gateways without any accepted HTTPRoutes. * Ensure Gateway API group is used when checking the targetRef kind * Trigger reconciliation of possibly affected gateway policies after reconciling HTTPRoute ones * Mapper of HTTPRoute events to policy events that goes through the parentRefs of the route and finds all policies that target one of its parent resources, thus yielding events for those policies. * AuthConfig condition from GWAPI QueryParamMatchRegularExpression * Skip Istio AuthorizationPolicy rules for GWAPI PathMatchRegularExpression and HeaderMatchRegularExpression * Generate Istio AuthorizationPolicy rules out of top-level conditions or full HTTPRoute only (i.e. ignore config-level conditions) * tests: fix integration tests for authpolicy with route selectors * fix: AuthorizationPolicy rules when PathMatchRegularExpression + unit tests from Istio AuthorizationPolicy rules from HTTPRouteRules and hostnames * tests: unit tests from AuthConfig conditions from HTTPRouteRules and hostnames * tests: unit tests for the AuthPolicy type * tests: unit test for RateLimitPolicyList.GetItems() * tests: unit test for RouteSelectors.HostnamesForConditions() * tests: integration test for Gateway policy with having other policies attached to HTTPRoutes * fixup: AuthPolicy SuccessResponseSpec type * tests: integration tests for AuthPolicy <-> AuthConfig mapping * tests: integration tests gateway policies whith all HTTPRoutes talken * Well-known attributes used in the generated AuthConfigs Closes: - #265 * tests: integration tests for policies only with unmatching route selectors * lint: fix duplicated imported package * Move AuthPolicy v1beta top-level 'patterns' and 'when' fields one level up This will pair the level of these policy-wide options to the top-level 'routeSelectors', rather than having two things that have semantics over the same scope defined at different levels in the API. This change also separates the auth scheme, making it now exclusively about auth rules. * [authpolicy-v2] docs (#275) * docs: authpolicy v1beta2 * docs: addressing suggestions of enhancements to the authpolicy docs * Add mandatory Gateway API label to the AuthPolicy CRD (#279) Closes #278 * docs: fix typos * [authpolicy-v2] AuthPolicy validation rules (#281) * prevent usage of routeSelectors in a gateway AuthPolicy * AuthPolicy CEL validation rules - Invalid targetRef.group - Invalid targetRef.kind - Route selectors not supported when targeting a Gateway Note: cannot set a validation rule for !has(spec.targetRef.namespace) || spec.targetRef.namespace == metadata.namespace, because Kubernetes does not allow accessing `metadata.namespace`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules
- Loading branch information
1 parent
4d38913
commit 6bffa0b