Initial access config support

[tomasliumparas]

Initial AccessConfig version.
To do:

• Use domain from TunnelBinding
• Discuss if we should create AccessApplications before DNS records due to security reasons
• Implement AccessPolicies calls

Currently tested with the following CRD:

apiVersion: networking.cfargotunnel.com/v1alpha1
kind: TunnelBinding
metadata:
  name: whoami-cluster-tun
subjects:
  - name: whoami
  - name: whoami-2 # Points to the second service
tunnelRef:
  kind: ClusterTunnel
  name: k3s-cluster-tunnel
accessConfig:
  name: whoami
  domain: whoami.domain.com
  type: "self_hosted"

#67

[adyanth]

Thanks for the PR! Did you have a chance to test this out in your cluster to make sure it works? Had a couple questions/comments.

[adyanth]

Any reason why some are commented out? Could you remove them if they aren't needed, or are they needed in the future?

[tomasliumparas]

I was planning to implement CORS support a bit later.
I can for sure remove the comments for now.

[tomasliumparas]

Removed in 7bde824

[adyanth]

Could you remove the dependency of networkingv1alpha1 from this file by calling this function with the newApp already created and accepting an AccessApp instead?

[tomasliumparas]

The thing is that I need to call CF api, to have it translated into AccessApp - basically to translate Access Group Names into ids.
That means I would need to include CloudflareAPI from cloudflare_api.go into tunnelbinding_types.go

Or I could move (c *AccessConfig) NewAccessApplication() into controllers package as a function.
I did this, since I originally wanted to have it as a method of AccessConfig. That way it is near the definition of the CRD and it makes a bit easier to map the fields.

Which way you would prefer more?

[adyanth]

Does this delete only the policies on this particular application?

[tomasliumparas]

Yes. Since existing policy list is fetched for current application

existingPolicies, _, err := c.CloudflareClient.AccessPolicies(ctx, accountId, applicationId, ...

[adyanth]

This if condition is not necessary.

[adyanth]

This function seems convoluted. Let me phrase what I understand this function should be doing and you can correct me.

Given the set of existing access policies on the application, and the set of access policies defined in the CRD, you are trying to reconcile them. But there are a couple of problems. Does having the same name of the policy guarantee that the policy wasn't changed? Do we also create access groups here or just refer to them by name?

If possible, I'd like to see this split up into smaller functions and sync all the rules regardless of what was present, unless there was a way you could verify what is set online matches the local config.

[tomasliumparas]

This one was a bit tricky.
What I am doing here is checking by name if there are any policies in the application, which are not defined in crd.
If yes, we delete them.

Later on we loop trough policies defined in crd and update them.

Cases I tested:

• Policy by same name is changed manually, it should be updated to be matching crd configuration - works
• Policy manually added to the ui, should be deleted - works
• Policy should be deleted once gone from crd - works

[tomasliumparas]

does this makes sense?

[tomasliumparas]

Thanks for the PR! Did you have a chance to test this out in your cluster to make sure it works? Had a couple questions/comments.

Yes, seem to work fine.
What I managed to test:

• Creation/deletion of Access Applications with/without the policies
• Changing order of access policies
• Manually updating the policies via Cloudflare
• Removing the policies via CRD
• Renaming the policies via CRD