APIGW NS JWT Auth #2962
Merged
APIGW NS JWT Auth #2962
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter
* squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
* Added validating webhook for gateway policy * Change denied message to provide more information to the operator
* Fix bug in comparison of gateway policies * fix fmting * Added gateway equal test * Finished adding tests and refactored to use slices convencience functions
* Group indices by resource * Add index for HTTPRoutes referencing RouteAuthFilters * Add watch for HTTPRoutes referencing RouteAuthFilters * Add permissions to connect-inject clusterrole * Compare JWT filters for equality * Add RouteAuthFilter to resource translator
…WTProvider Changes (#2950) * Added watches and status condition on gateway listeners for JWT validation * Only append errors if they're non-nil * Added tests for validating jwt on listener and for adding/retrieving jwt from resource map * fix fmting * Clean up from PR review * Use two value form of map access * Rename function * clean up from PR review
* Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults
… JWT (#2961) * NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added status conditions for JWT for auth filters and for routes * Extract function * Use more generic error for invalid filter * Re-run ctrl-manifests with correct controller-generate version * Clean up from pr review * gofmt --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
jm96441n
added
theme/api-gateway
jm96441n
commented
Sep 15, 2023
jm96441n
commented
Sep 15, 2023
t-eckert
reviewed
Sep 15, 2023
Comment on lines
+412
to
+419
| conditions = append(conditions, metav1.Condition{ | ||
| Type: "ResolvedRefs", | ||
| Status: metav1.ConditionFalse, | ||
| Reason: "InvalidCertificateRef", | ||
| ObservedGeneration: generation, | ||
| Message: refErr.Error(), | ||
| LastTransitionTime: now, | ||
| }) |
There was a problem hiding this comment.
Not for this PR, but something to consider looping back around on: maybe we should have a function that creates metav1.Condition objects with the current timestamp given how much of this file is defining those objects. Then we could reduce the amount of code by having a function call that builds the condition.
func newCondition(type string, status metav1.Status, reason string, generation int64, message: string) metav1.Condition {
return metav1.Condition{
Type: type,
Status: status,
Reason: reason,
ObservedGeneration: generation,
Message: message,
LastTransitionTime: timeFunc(),
}
}
t-eckert
approved these changes
Sep 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
How I've tested this PR:
Running through configurations in this repo: https://github.com/jm96441n/consul-experiments/tree/main/k8s/jwts
How I expect reviewers to test this PR:
Read the PR
Checklist: