-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
APIGW NS JWT Auth #2962
APIGW NS JWT Auth #2962
Conversation
* Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter
* squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
* Added validating webhook for gateway policy * Change denied message to provide more information to the operator
* Fix bug in comparison of gateway policies * fix fmting * Added gateway equal test * Finished adding tests and refactored to use slices convencience functions
* Group indices by resource * Add index for HTTPRoutes referencing RouteAuthFilters * Add watch for HTTPRoutes referencing RouteAuthFilters * Add permissions to connect-inject clusterrole * Compare JWT filters for equality * Add RouteAuthFilter to resource translator
…WTProvider Changes (#2950) * Added watches and status condition on gateway listeners for JWT validation * Only append errors if they're non-nil * Added tests for validating jwt on listener and for adding/retrieving jwt from resource map * fix fmting * Clean up from PR review * Use two value form of map access * Rename function * clean up from PR review
* Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults
… JWT (#2961) * NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added status conditions for JWT for auth filters and for routes * Extract function * Use more generic error for invalid filter * Re-run ctrl-manifests with correct controller-generate version * Clean up from pr review * gofmt --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
conditions = append(conditions, metav1.Condition{ | ||
Type: "ResolvedRefs", | ||
Status: metav1.ConditionFalse, | ||
Reason: "InvalidCertificateRef", | ||
ObservedGeneration: generation, | ||
Message: refErr.Error(), | ||
LastTransitionTime: now, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not for this PR, but something to consider looping back around on: maybe we should have a function that creates metav1.Condition
objects with the current timestamp given how much of this file is defining those objects. Then we could reduce the amount of code by having a function call that builds the condition.
func newCondition(type string, status metav1.Status, reason string, generation int64, message: string) metav1.Condition {
return metav1.Condition{
Type: type,
Status: status,
Reason: reason,
ObservedGeneration: generation,
Message: message,
LastTransitionTime: timeFunc(),
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spectacular work! I'm so happy to see this going into main
!
Changes proposed in this PR:
How I've tested this PR:
Running through configurations in this repo: https://github.com/jm96441n/consul-experiments/tree/main/k8s/jwts
How I expect reviewers to test this PR:
Read the PR
Checklist: