Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: minor improvements #217

Merged
merged 2 commits into from
Jul 18, 2023
Merged

docs: minor improvements #217

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee32f38
docs: minor improvements
KevFan Jul 14, 2023
c11802c
user-guide: fix authorization using k8s service account returning 403…
KevFan Jul 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 25 additions & 23 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ The Operator to install and manage the lifecycle of the [Kuadrant](https://githu
* [If you are an <em>API Provider</em>](#if-you-are-an-api-provider)
* [If you are a <em>Cluster Operator</em>](#if-you-are-a-cluster-operator)
* [User guides](#user-guides)
* [<a href="/doc/rate-limiting.md">Kuadrant Rate Limiting</a>](#kuadrant-rate-limiting)
* [<a href="doc/rate-limiting.md">Kuadrant Rate Limiting</a>](#kuadrant-rate-limiting)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for curiosity, is /doc/rate-limiting.md wrong? the link seems to be working (on Linux/Firefox)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The leading slash breaks it in https://docs.kuadrant.io/kuadrant-operator/. Not sure if using the simple relative path will solve it tho.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works but it is broken in the website for the above in the table of contents ^^ . I am also not sure will this change fix it since it links to https://docs.kuadrant.io/doc/rate-limiting.md vs https://docs.kuadrant.io/kuadrant-operator/doc/rate-limiting/ which seems to be the correct url instead 🤷

Though this change is also to give consitency to references to other docs in the repo. In most other links, we use docs/x instead of /docs/x 🤔

* [Documentation](#documentation)
* [Contributing](#contributing)
* [Licensing](#licensing)
Expand All @@ -32,29 +32,30 @@ more reusable and leverage the underlying kubernetes platform. It aims to delive
of applications & services when it comes to rate limiting, authentication, authorization, discoverability, change management, usage contracts, insights, etc.

Kuadrant aims to produce a set of loosely coupled functionalities built directly on top of Kubernetes.
Furthermore it only strives to provide what Kubernetes doesn’t offer out of the box, i.e. Kuadrant won’t be designing a new Gateway/proxy,
Furthermore, it only strives to provide what Kubernetes doesn’t offer out of the box, i.e. Kuadrant won’t be designing a new Gateway/proxy,
instead it will opt to connect with what’s there and what’s being developed (think Envoy, Istio, GatewayAPI).

Kuadrant is a system of cloud-native k8s components that grows as users’ needs grow.

* From simple protection of a Service (via **AuthN**) that is used by teammates working on the same cluster, or “sibling” services, up to **AuthZ** of users using OIDC plus custom policies.
* From no rate-limiting to rate-limiting for global service protection on to rate-limiting by users/plans

## Architecture

Kuadrant relies on [Istio](https://istio.io/) and the [Gateway API](https://gateway-api.sigs.k8s.io/)
to operate the cluster (istio's) ingress gateway to provide API management with **authentication** (authN),
to operate the cluster (Istio's) ingress gateway to provide API management with **authentication** (authN),
**authorization** (authZ) and **rate limiting** capabilities.

### Kuadrant components

| CRD | Description |
| --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Control Plane | The control plane takes the customer desired configuration (declaratively as kubernetes custom resources) as input and ensures all components are configured to obey customer's desired behavior.<br> This repository contains the source code of the kuadrant control plane |
| [Kuadrant Operator](https://github.com/Kuadrant/kuadrant-operator) | A Kubernetes Operator to manage the lifecycle of the kuadrant deployment |
| [Authorino](https://github.com/Kuadrant/authorino) | The AuthN/AuthZ enforcer. As the [external istio authorizer](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) ([envoy external authorization](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter) serving gRPC service) |
| [Limitador](https://github.com/Kuadrant/limitador) | The external rate limiting service. It exposes a gRPC service implementing the [Envoy Rate Limit protocol (v3)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto) |
| [Authorino Operator](https://github.com/Kuadrant/authorino-operator) | A Kubernetes Operator to manage Authorino instances |
| [Limitador Operator](https://github.com/Kuadrant/limitador-operator) | A Kubernetes Operator to manage Limitador instances |
| CRD | Description |
|----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Control Plane | The control plane takes the customer desired configuration (declaratively as kubernetes custom resources) as input and ensures all components are configured to obey customer's desired behavior.<br> This repository contains the source code of the kuadrant control plane |
| [Kuadrant Operator](https://github.com/Kuadrant/kuadrant-operator) | A Kubernetes Operator to manage the lifecycle of the kuadrant deployment |
| [Authorino](https://github.com/Kuadrant/authorino) | The AuthN/AuthZ enforcer. As the [external istio authorizer](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) ([envoy external authorization](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter) serving gRPC service) |
| [Limitador](https://github.com/Kuadrant/limitador) | The external rate limiting service. It exposes a gRPC service implementing the [Envoy Rate Limit protocol (v3)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto) |
| [Authorino Operator](https://github.com/Kuadrant/authorino-operator) | A Kubernetes Operator to manage Authorino instances |
| [Limitador Operator](https://github.com/Kuadrant/limitador-operator) | A Kubernetes Operator to manage Limitador instances |

### Provided APIs

Expand Down Expand Up @@ -86,7 +87,7 @@ Additionally, Kuadrant provides the following CRDs

### Installing Kuadrant

Installing Kuadrant is a two-step procedure. Firstly, install the Kuadrant Operator and seconly,
Installing Kuadrant is a two-step procedure. Firstly, install the Kuadrant Operator and secondly,
request a Kuadrant instance by creating a *Kuadrant* custom resource.

#### 1. Install the Kuadrant Operator
Expand All @@ -98,14 +99,14 @@ The Kuadrant Operator is available in public community operator catalogs, such a
The operator is available from [OperatorHub.io](https://operatorhub.io/operator/kuadrant-operator).
Just go to the linked page and follow installation steps (or just run these two commands):

```
```sh
# Install Operator Lifecycle Manager (OLM), a tool to help manage the operators running on your cluster.

$ curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.23.1/install.sh | bash -s v0.23.1
curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.23.1/install.sh | bash -s v0.23.1

# Install the operator by running the following command:

$ kubectl create -f https://operatorhub.io/install/kuadrant-operator.yaml
kubectl create -f https://operatorhub.io/install/kuadrant-operator.yaml
```

**Openshift**
Expand All @@ -125,12 +126,13 @@ kubectl create namespace kuadrant

Apply the `Kuadrant` custom resource:

```yaml
kubectl apply -n kuadrant -f -<<EOF
```sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: technically it is a shell script, but I would be highlighting the yaml content

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plus, if you keep it as sh, you can run it in vscode with https://marketplace.visualstudio.com/items?itemName=guicassolato.tothom 😜

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is a hard one 🤔 TBH previously, we are not consistent in this use for code blocks. In some places, we use yaml vs sh.

While highlighting for yaml is nice, I've went with sh since it is a shell script and as Gui hinted for vscode, in Goland IDE there is a similar function to run commands directly from markdowns for shell commands also, which is also a nice feature

image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

take my money

kubectl -n kuadrant apply -f - <<EOF
---
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
name: kuadrant
name: kuadrant-sample
spec: {}
EOF
```
Expand All @@ -142,16 +144,16 @@ EOF
* Deploy the service/API to be protected ("Upstream")
* Expose the service/API using the kubernetes Gateway API, ie
[HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute) object.
* Write and apply the Kuadrant's [RateLimitPolicy](/doc/rate-limiting.md) and/or
[AuthPolicy](apis/apim/v1alpha1/authpolicy_types.go) custom resources targeting the HTTPRoute resource
* Write and apply the Kuadrant's [RateLimitPolicy](doc/rate-limiting.md) and/or
[AuthPolicy](api/v1beta1/authpolicy_types.go) custom resources targeting the HTTPRoute resource
to have your API protected.

#### If you are a *Cluster Operator*

* (Optionally) deploy istio ingress gateway using the
[Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.Gateway) resource.
* Write and apply the Kuadrant's [RateLimitPolicy](/doc/rate-limiting.md) and/or
[AuthPolicy](apis/apim/v1alpha1/authpolicy_types.go) custom resources targeting the Gateway resource
* Write and apply the Kuadrant's [RateLimitPolicy](doc/rate-limiting.md) and/or
[AuthPolicy](api/v1beta1/authpolicy_types.go) custom resources targeting the Gateway resource
to have your gateway traffic protected.

## User guides
Expand All @@ -163,7 +165,7 @@ The user guides section of the docs gathers several use-cases as well as the ins
* [Gateway rate limiting for cluster operators](doc/user-guides/gateway-rl-for-cluster-operators.md)
* [Authenticated rate limiting with JWTs and Kubernetes authnz](doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md)

## [Kuadrant Rate Limiting](/doc/rate-limiting.md)
## [Kuadrant Rate Limiting](doc/rate-limiting.md)

## Documentation

Expand Down
39 changes: 19 additions & 20 deletions doc/development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
* [Build custom OLM catalog](#build-custom-olm-catalog)
* [Build kuadrant operator bundle image](#build-kuadrant-operator-bundle-image)
* [Build custom catalog](#build-custom-catalog)
* [Deploy kuadrant operator using OLM](#deploy-kuadrant-operator-using-olm-1)
* [Cleaning up](#cleaning-up)
* [Run tests](#run-tests)
* [Unit tests](#unittests)
Expand Down Expand Up @@ -89,9 +88,9 @@ make install-olm

Deploy kuadrant using OLM. The `make deploy-catalog` target accepts the following variables:

| **Makefile Variable** | **Description** | **Default value** |
| --- | --- | --- |
| `CATALOG_IMG` | Kuadrant operator catalog image URL | `quay.io/kuadrant/kuadrant-operator-catalog:latest` |
| **Makefile Variable** | **Description** | **Default value** |
|-----------------------|-------------------------------------|-----------------------------------------------------|
| `CATALOG_IMG` | Kuadrant operator catalog image URL | `quay.io/kuadrant/kuadrant-operator-catalog:latest` |

```sh
make deploy-catalog [CATALOG_IMG=quay.io/kuadrant/kuadrant-operator-catalog:latest]
Expand Down Expand Up @@ -130,27 +129,27 @@ make bundle [IMG=quay.io/kuadrant/kuadrant-operator:latest] \

* Build the bundle image from the manifests

| **Makefile Variable** | **Description** | **Default value** |
| --- | --- | --- |
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |
| **Makefile Variable** | **Description** | **Default value** |
|-----------------------|------------------------------------|----------------------------------------------------|
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |

```sh
make bundle-build [BUNDLE_IMG=quay.io/kuadrant/kuadrant-operator-bundle:latest]
```

* Push the bundle image to a registry

| **Makefile Variable** | **Description** | **Default value** |
| --- | --- | --- |
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |
| **Makefile Variable** | **Description** | **Default value** |
|-----------------------|------------------------------------|----------------------------------------------------|
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |

```sh
make bundle-push [BUNDLE_IMG=quay.io/kuadrant/kuadrant-operator-bundle:latest]
```

Frequently, you may need to build custom kuadrant bundle with the default (`latest`) Limitador and
Authorino bundles. These are the example commands to build the manifests, build the bundle image
and push to the regitry.
and push to the registry.

In the example, a new kuadrant operator bundle version `0.8.0` will be created that references
the kuadrant operator image `quay.io/kuadrant/kuadrant-operator:v0.5.0` and latest Limitador and
Expand All @@ -169,17 +168,17 @@ make bundle-push BUNDLE_IMG=quay.io/kuadrant/kuadrant-operator-bundle:my-bundle

### Build custom catalog

The catalog's format will be [File-based Catalg](https://olm.operatorframework.io/docs/reference/file-based-catalogs/).
The catalog's format will be [File-based Catalog](https://olm.operatorframework.io/docs/reference/file-based-catalogs/).

Make sure all the required bundles are pushed to the registry. It is required by the `opm` tool.

The `make catalog` target accepts the following variables:

| **Makefile Variable** | **Description** | **Default value** |
| --- | --- | --- |
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |
| `LIMITADOR_OPERATOR_BUNDLE_IMG` | Limitador operator bundle URL | `quay.io/kuadrant/limitador-operator-bundle:latest` |
| `AUTHORINO_OPERATOR_BUNDLE_IMG` | Authorino operator bundle URL | `quay.io/kuadrant/authorino-operator-bundle:latest` |
| **Makefile Variable** | **Description** | **Default value** |
|---------------------------------|------------------------------------|-----------------------------------------------------|
| `BUNDLE_IMG` | Kuadrant operator bundle image URL | `quay.io/kuadrant/kuadrant-operator-bundle:latest` |
| `LIMITADOR_OPERATOR_BUNDLE_IMG` | Limitador operator bundle URL | `quay.io/kuadrant/limitador-operator-bundle:latest` |
| `AUTHORINO_OPERATOR_BUNDLE_IMG` | Authorino operator bundle URL | `quay.io/kuadrant/authorino-operator-bundle:latest` |

```sh
make catalog [BUNDLE_IMG=quay.io/kuadrant/kuadrant-operator-bundle:latest] \
Expand All @@ -189,9 +188,9 @@ make catalog [BUNDLE_IMG=quay.io/kuadrant/kuadrant-operator-bundle:latest] \

* Build the catalog image from the manifests

| **Makefile Variable** | **Description** | **Default value** |
| --- | --- | --- |
| `CATALOG_IMG` | Kuadrant operator catalog image URL | `quay.io/kuadrant/kuadrant-operator-catalog:latest` |
| **Makefile Variable** | **Description** | **Default value** |
|-----------------------|-------------------------------------|-----------------------------------------------------|
| `CATALOG_IMG` | Kuadrant operator catalog image URL | `quay.io/kuadrant/kuadrant-operator-catalog:latest` |

```sh
make catalog-build [CATALOG_IMG=quay.io/kuadrant/kuadrant-operator-catalog:latest]
Expand Down
2 changes: 2 additions & 0 deletions doc/logging.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Logging

The kuadrant operator outputs 3 levels of log messages: (from lowest to highest level)

1. `debug`
2. `info` (default)
3. `error`
Expand All @@ -12,6 +13,7 @@ Only `debug` logging will include processing details.
To configure the desired log level, set the environment variable `LOG_LEVEL` to one of the supported values listed above. Default log level is `info`.

Apart from log level, the operator can output messages to the logs in 2 different formats:

- `production` (default): each line is a parseable JSON object with properties `{"level":string, "ts":int, "msg":string, "logger":string, extra values...}`
- `development`: more human-readable outputs, extra stack traces and logging info, plus extra values output as JSON, in the format: `<timestamp-iso-8601>\t<log-level>\t<logger>\t<message>\t{extra-values-as-json}`

Expand Down
10 changes: 5 additions & 5 deletions doc/proposals/authpolicy-crd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ The new [GatewayAPI](https://gateway-api.sigs.k8s.io/) defines a standard [polic
## Goals

With `targetRef` from policy attachment concept, following are the goals:
- Application developer should be able target [`HTTPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute) object in their own namespace. This will define authorization policy at the hostname/domain/vHost level.
- Application developer should be able to target [`HTTPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute) object in their own namespace. This will define authorization policy at the hostname/domain/vHost level.
- Cluster operator should be able to target [`Gateway`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway) object along with HTTPRoute in the gateway's namespace. This will define policy at the <ins>listener</ins> level.
- To reduce context sharing at the gateway and external authorization provider, action type and auth-provider are defaulted to `CUSTOM` and authorino respectively.

## Proposed Solution
Following is the proposed new CRD that combines policy attachment concepts with Istio's AuthorizationPolicy:

```yaml=
```yaml
apiVersion: kuadrant.io/v1beta1
kind: AuthPolicy
metadata:
Expand Down Expand Up @@ -50,7 +50,7 @@ status:
reason: HTTPRouteProtected/GatewayProtected/Error
status: "True" | "False"
type: Available
observedGeneration: 1
observedGeneration: 1
```

### Target Reference
Expand Down Expand Up @@ -84,7 +84,7 @@ status:
- `methods`: a method matches over request method like `DELETE`.

Fields in a rule object are ANDed together but inner fields follow OR semantics. For example,
```
```yaml
hosts: ["*.toystore.com"]
methods: ["GET", "POST"]
paths: ["/admin"]
Expand All @@ -100,7 +100,7 @@ AuthScheme is embedded form of [Authorino's AuthConfig](https://github.com/Kuadr

The example AuthPolicy showed above will create the following AuthConfig:

```yaml=
```yaml
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
Expand Down
Loading
Loading