[NET-5017] APIGW Status Conditions for Gateway Policies #2955
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jm96441n
added
theme/api-gateway
jm96441n
commented
Sep 13, 2023
| @@ -115,3 +115,21 @@ type GatewayJWTClaimVerification struct { | |||
| // that this value matches. | |||
| Value string `json:"value"` | |||
| } | |||
|
|
|||
| // GatewayPolicyStatus defines the observed state of the gateway | |||
| type GatewayPolicyStatus struct { | |||
There was a problem hiding this comment.
we needed a specific status type in order to add the status, similar to how the Gateway type in the k8s spec has a specific type for GatewayStatus
t-eckert
reviewed
Sep 14, 2023
t-eckert
reviewed
Sep 14, 2023
t-eckert
approved these changes
Sep 14, 2023
conditions for defaults
jm96441n
added a commit
that referenced
this pull request
Sep 14, 2023
* Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults
jm96441n
added a commit
that referenced
this pull request
Sep 15, 2023
* NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added validating webhook for gateway policy (#2912) * Added validating webhook for gateway policy * Change denied message to provide more information to the operator * [APIGW] Add comparison of gateway policies to diffing logic (#2939) * Fix bug in comparison of gateway policies * fix fmting * Added gateway equal test * Finished adding tests and refactored to use slices convencience functions * Reconcile Route Auth Filter changes (#2954) * Group indices by resource * Add index for HTTPRoutes referencing RouteAuthFilters * Add watch for HTTPRoutes referencing RouteAuthFilters * Add permissions to connect-inject clusterrole * Compare JWT filters for equality * Add RouteAuthFilter to resource translator * [NET-5017] APIGW Status Conditions for Gateway for JWT/Reconcile on JWTProvider Changes (#2950) * Added watches and status condition on gateway listeners for JWT validation * Only append errors if they're non-nil * Added tests for validating jwt on listener and for adding/retrieving jwt from resource map * fix fmting * Clean up from PR review * Use two value form of map access * Rename function * clean up from PR review * [NET-5017] APIGW Status Conditions for Gateway Policies (#2955) * Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults * [NET-5017] APIGW Status Conditions for RouteAuthFilter and Routes wrt JWT (#2961) * NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added status conditions for JWT for auth filters and for routes * Extract function * Use more generic error for invalid filter * Re-run ctrl-manifests with correct controller-generate version * Clean up from pr review * gofmt --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added changelog * clean up some renames from httprouteauthfilter -> routeauthfilter * Fix broken webhook test, added new test --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
How I've tested this PR:
k8s/jwtsdirectory run thestartscript, this sets up a k8s cluster with an apigw, 3 services, a httproute, and a jwt provider named "local"kubectl apply ./consul/gatewaypolicy-okta.yamlkubectl describe gatewaypolicy gw-policy-2to see all the statuses as invalid because the referenced provider does not existkubectl apply ./consul/okta.yamlto create theoktajwt providerkubectl describe gatewaypolicy gw-policy-2again to see the policy back in a healthy statusChecklist: