Skip to content

Commit

Permalink
Merge pull request #417 from Kuadrant/authconfig-v1beta2
Browse files Browse the repository at this point in the history
AuthConfig v1beta2
  • Loading branch information
guicassolato authored Sep 19, 2023
2 parents bffb49e + 90ce6fe commit 5fc204a
Show file tree
Hide file tree
Showing 63 changed files with 11,610 additions and 1,651 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/e2e-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ jobs:
matrix:
go-version: [1.19.x]
platform: [ubuntu-latest]
authconfig_version: [v1beta1, v1beta2]
runs-on: ${{ matrix.platform }}
defaults:
run:
Expand All @@ -34,5 +35,6 @@ jobs:
- name: Run make e2e
env:
OPERATOR_VERSION: ${{ github.event.inputs.operatorVersion }}
AUTHCONFIG_VERSION: ${{ matrix.authconfig_version }}
run: |
make e2e
12 changes: 3 additions & 9 deletions .github/workflows/integration-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,9 @@ jobs:
run: go install sigs.k8s.io/kind@v0.20.0
- name: Create kind cluster
run: kind create cluster --name authorino-smoke-tests
- name: Install cert-manager
run: |
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml
kubectl delete mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io/cert-manager-webhook
kubectl -n cert-manager wait --timeout=300s --for=condition=Available deployments --all
- name: Install Authorino Operator
run: |
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/config/deploy/manifests.yaml
curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s
kubectl -n authorino-operator wait --timeout=300s --for=condition=Available deployments --all
- name: Create the namespace
run: |
Expand Down Expand Up @@ -79,7 +73,7 @@ jobs:
- name: Run e2e tests
env:
NAMESPACE: authorino
AUTHCONFIG: https://raw.githubusercontent.com/Kuadrant/authorino/main/tests/authconfig.yaml
AUTHCONFIG_INVALID: https://raw.githubusercontent.com/Kuadrant/authorino/main/tests/authconfig-invalid.yaml
AUTHCONFIG: https://raw.githubusercontent.com/Kuadrant/authorino/main/tests/v1beta2/authconfig.yaml
AUTHCONFIG_INVALID: https://raw.githubusercontent.com/Kuadrant/authorino/main/tests/v1beta2/authconfig-invalid.yaml
run: |
curl -sSL https://raw.githubusercontent.com/Kuadrant/authorino/main/tests/e2e-test.sh | bash
36 changes: 20 additions & 16 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,8 @@ generate: vendor controller-gen ## Generates types deepcopy code
$(MAKE) fmt vet

manifests: controller-gen kustomize ## Generates the manifests in $PROJECT_DIR/install
controller-gen crd:crdVersions=v1 rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=install/crd output:rbac:artifacts:config=install/rbac && kustomize build install > $(AUTHORINO_MANIFESTS)
controller-gen crd:crdVersions=v1 rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=install/crd output:rbac:artifacts:config=install/rbac && $(KUSTOMIZE) build install > $(AUTHORINO_MANIFESTS)
$(MAKE) patch-webhook

run: generate manifests ## Runs the application against the Kubernetes cluster configured in ~/.kube/config
go run -ldflags "-X main.version=$(VERSION)" ./main.go server
Expand Down Expand Up @@ -143,22 +144,15 @@ report-benchmarks:
cover: ## Shows test coverage
go tool cover -html=cover.out

AUTHCONFIG_VERSION ?= v1beta2
VERBOSE ?= 0
e2e: ## Runs the end-to-end tests on a local environment setup
$(MAKE) local-setup NAMESPACE=authorino KIND_CLUSTER_NAME=authorino-e2e AUTHORINO_IMAGE=$(AUTHORINO_IMAGE) TLS_ENABLED=$(TLS_ENABLED) OPERATOR_BRANCH=$(OPERATOR_BRANCH) AUTHORINO_MANIFESTS=$(AUTHORINO_MANIFESTS) AUTHORINO_INSTANCE=$(AUTHORINO_INSTANCE) ENVOY_OVERLAY=$(ENVOY_OVERLAY) DEPLOY_KEYCLOAK=1 FF=1
NAMESPACE=authorino VERBOSE=$(VERBOSE) ./tests/e2e-test.sh
NAMESPACE=authorino AUTHCONFIG_VERSION=$(AUTHCONFIG_VERSION) VERBOSE=$(VERBOSE) ./tests/e2e-test.sh

##@ Apps

.PHONY: cert-manager user-apps keycloak dex limitador

cert-manager: ## Installs CertManager into the Kubernetes cluster configured in ~/.kube/config
ifeq (true,$(TLS_ENABLED))
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml
kubectl delete mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io/cert-manager-webhook
kubectl -n cert-manager wait --timeout=300s --for=condition=Available deployments --all
endif
.PHONY: user-apps keycloak dex limitador

DEPLOY_KEYCLOAK ?= $(DEPLOY_IDPS)
DEPLOY_DEX ?= $(DEPLOY_IDPS)
Expand Down Expand Up @@ -188,16 +182,19 @@ limitador: ## Deploys Limitador from kuadrant/authorino-examples into the Kubern

##@ Installation

.PHONY: install-operator uninstall-operator install uninstall
.PHONY: install-operator uninstall-operator install uninstall patch-webhook

AUTHORINO_OPERATOR_NAMESPACE ?= authorino-operator

ifeq (latest,$(OPERATOR_VERSION))
OPERATOR_BRANCH = main
else
OPERATOR_BRANCH = $(OPERATOR_VERSION)
endif
install-operator: ## Installs Authorino Operator and corresponding version of the manifests into the Kubernetes cluster configured in ~/.kube/config
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino-operator/$(OPERATOR_BRANCH)/config/deploy/manifests.yaml
kubectl -n authorino-operator wait --timeout=300s --for=condition=Available deployments --all
install-operator: ## Installs Authorino Operator and dependencies into the Kubernetes cluster configured in ~/.kube/config
curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/$(OPERATOR_BRANCH)/utils/install.sh | bash -s -- --git-ref $(OPERATOR_BRANCH)
kubectl patch deployment/authorino-webhooks -n $(AUTHORINO_OPERATOR_NAMESPACE) -p '{"spec":{"template":{"spec":{"containers":[{"name":"webhooks","image":"$(AUTHORINO_IMAGE)","imagePullPolicy":"IfNotPresent"}]}}}}'
kubectl -n $(AUTHORINO_OPERATOR_NAMESPACE) wait --timeout=300s --for=condition=Available deployments --all

uninstall-operator: ## Uninstalls Authorino Operator and corresponding version of the manifests from the Kubernetes cluster configured in ~/.kube/config
kubectl delete -f https://raw.githubusercontent.com/Kuadrant/authorino-operator/$(OPERATOR_BRANCH)/config/deploy/manifests.yaml
Expand All @@ -208,6 +205,13 @@ install: manifests ## Installs the current manifests (CRD, RBAC) into the Kubern
uninstall: manifests ## Uninstalls the current manifests (CRD, RBAC) from the Kubernetes cluster configured in ~/.kube/config
kubectl delete -f $(AUTHORINO_MANIFESTS)

patch-webhook: export WEBHOOK_NAMESPACE=$(AUTHORINO_OPERATOR_NAMESPACE)
patch-webhook:
envsubst \
< $(AUTHORINO_MANIFESTS) \
> $(AUTHORINO_MANIFESTS).tmp && \
mv $(AUTHORINO_MANIFESTS).tmp $(AUTHORINO_MANIFESTS)

##@ Deployment

.PHONY: namespace certs deploy
Expand Down Expand Up @@ -250,7 +254,7 @@ cluster: kind ## Starts a local Kubernetes cluster using Kind
local-build: kind docker-build ## Builds an image based on the current branch and pushes it to the registry into the local Kubernetes cluster started with Kind
$(KIND) load docker-image $(AUTHORINO_IMAGE) --name $(KIND_CLUSTER_NAME)

local-setup: cluster local-build cert-manager install-operator install namespace deploy user-apps ## Sets up a test/dev local Kubernetes server using Kind, loaded up with a freshly built Authorino image and apps
local-setup: cluster local-build install-operator install namespace deploy user-apps ## Sets up a test/dev local Kubernetes server using Kind, loaded up with a freshly built Authorino image and apps
kubectl -n $(NAMESPACE) wait --timeout=300s --for=condition=Available deployments --all
@{ \
echo "Now you can export the envoy service by doing:"; \
Expand Down
3 changes: 3 additions & 0 deletions PROJECT
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ resources:
- group: config
kind: AuthConfig
version: v1beta1
- group: config
kind: AuthConfig
version: v1beta2
version: 3-alpha
plugins:
go.sdk.operatorframework.io/v2-alpha: {}
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@ For a detailed description of the features above, refer to the [Features](./docs
<details>
<summary><strong>Can't I just use Envoy JWT Authentication and RBAC filters?</strong></summary>

Envoy's [JWT Authentication](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto.html) works pretty much similar to Authorino's [JOSE/JWT verification and validation for OpenID Connect](./docs/features.md#openid-connect-oidc-jwtjose-verification-and-validation-identityoidc). In both cases, the JSON Web Key Sets (JWKS) to verify the JWTs are auto-loaded and cached to be used in request-time. Moreover, you can configure for details such as where to extract the JWT from the HTTP request (header, param or cookie) and do some cool tricks regarding how dynamic metadata based on JWT claims can be injected to consecutive filters in the chain.
Envoy's [JWT Authentication](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto.html) works pretty much similar to Authorino's [JOSE/JWT verification and validation for OpenID Connect](./docs/features.md#jwt-verification-authenticationjwt). In both cases, the JSON Web Key Sets (JWKS) to verify the JWTs are auto-loaded and cached to be used in request-time. Moreover, you can configure for details such as where to extract the JWT from the HTTP request (header, param or cookie) and do some cool tricks regarding how dynamic metadata based on JWT claims can be injected to consecutive filters in the chain.

However, in terms of authorization, while Envoy's implementation essentially allows to check for the list of audiences (`aud` JWT claim), Authorino opens up for a lot more options such as pattern-matching rules with operators and conditionals, built-in OPA and other methods of evaluating authorization policies.

Expand All @@ -307,7 +307,7 @@ For a detailed description of the features above, refer to the [Features](./docs

Authorino is an Envoy-compatible external authorization service. One can use Authorino with or without Istio.

In particular, [Istio Authorization Policies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) can be seen, in terms of functionality and expressiveness, as a subset of one type of authorization policies supported by Authorino, the [JSON pattern-matching authorization](./docs/features.md#json-pattern-matching-authorization-rules-authorizationjson) policies. While Istio, however, is heavily focused on specific use cases of API Management, offering a relatively limited list of [supported attribute conditions](https://istio.io/latest/docs/reference/config/security/conditions/), Authorino is more generic, allowing to express authorization rules for a wider spectrum of use cases – ACLs, RBAC, ABAC, etc, pretty much counting on any attribute of the Envoy payload, identity object and external metadata available.
In particular, [Istio Authorization Policies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) can be seen, in terms of functionality and expressiveness, as a subset of one type of authorization policies supported by Authorino, the [pattern-matching authorization](./docs/features.md#pattern-matching-authorization-authorizationpatternmatching) policies. While Istio, however, is heavily focused on specific use cases of API Management, offering a relatively limited list of [supported attribute conditions](https://istio.io/latest/docs/reference/config/security/conditions/), Authorino is more generic, allowing to express authorization rules for a wider spectrum of use cases – ACLs, RBAC, ABAC, etc, pretty much counting on any attribute of the Envoy payload, identity object and external metadata available.

Authorino also provides built-in OPA authorization, several other methods of authentication and identity verification (e.g. Kubernetes token validation, API key-based authentication, OAuth token introspection, OIDC-discoverable JWT verification, etc), and features like fetching of external metadata (HTTP services, OIDC userinfo, UMA resource data), token normalization, wristband tokens and dynamic responses. These all can be used independently or combined, in a simple and straightforward Kubernetes-native fashion.

Expand All @@ -327,7 +327,7 @@ For a detailed description of the features above, refer to the [Features](./docs

No, you do not. However, if you are comfortable with [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) from Open Policy Agent (OPA), there are some quite interesting things you can do in Authorino, just as you would in any OPA server or OPA plugin, but leveraging Authorino's [built-in OPA module](./docs/features.md#open-policy-agent-opa-rego-policies-authorizationopa) instead. Authorino's OPA module is compiled as part of Authorino's code directly from the Golang packages, and imposes no extra latency to the evaluation of your authorization policies. Even the policies themselves are pre-compiled in reconciliation-time, for fast evaluation afterwards, in request-time.

On the other hand, if you do not want to learn Rego or in any case would like to combine it with declarative and Kubernetes-native authN/authZ spec for your services, Authorino does complement OPA with at least two other methods for expressing authorization policies – i.e. [JSON pattern-matching authorization rules](./docs/features.md#json-pattern-matching-authorization-rules-authorizationjson) and [Kubernetes SubjectAccessReview](./docs/features.md#kubernetes-subjectaccessreview-authorizationkubernetes), the latter allowing to rely completely on the Kubernetes RBAC.
On the other hand, if you do not want to learn Rego or in any case would like to combine it with declarative and Kubernetes-native authN/authZ spec for your services, Authorino does complement OPA with at least two other methods for expressing authorization policies – i.e. [pattern-matching authorization](./docs/features.md#pattern-matching-authorization-authorizationpatternmatching) and [Kubernetes SubjectAccessReview](./docs/features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview), the latter allowing to rely completely on the Kubernetes RBAC.

You break down, mix and combine these methods and technolgies in as many authorization policies as you want, potentially applying them according to specific conditions. Authorino will trigger the evaluation of concurrent policies in parallel, aborting the context if any of the processes denies access.

Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/auth_config_conversion.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
package v1beta1

// Hub marks this version as a conversion hub.
func (a *AuthConfig) Hub() {}
1 change: 1 addition & 0 deletions api/v1beta1/auth_config_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -774,6 +774,7 @@ func (s *AuthConfigStatus) Ready() bool {
// AuthConfig is the schema for Authorino's AuthConfig API
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.summary.ready`,description="Ready for all hosts"
// +kubebuilder:printcolumn:name="Hosts",type=string,JSONPath=`.status.summary.numHostsReady`,description="Number of hosts ready"
// +kubebuilder:printcolumn:name="Authentication",type=integer,JSONPath=`.status.summary.numIdentitySources`,description="Number of trusted identity sources",priority=2
Expand Down
Loading

0 comments on commit 5fc204a

Please sign in to comment.