-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorino Reconciler #1
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jjaferson
force-pushed
the
foundation2
branch
2 times, most recently
from
November 1, 2021 17:22
c409b92
to
001d52c
Compare
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
config/crd/bases/authorino-operator.kuadrant.3scale.net_authorinoes.yaml
Outdated
Show resolved
Hide resolved
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
guicassolato
reviewed
Nov 2, 2021
jjaferson
force-pushed
the
foundation2
branch
from
November 15, 2021 16:18
ee2a4ae
to
10c839a
Compare
jjaferson
force-pushed
the
foundation2
branch
6 times, most recently
from
November 16, 2021 18:00
30eef4f
to
0947c36
Compare
jjaferson
force-pushed
the
foundation2
branch
from
November 16, 2021 19:23
0947c36
to
e6d9d29
Compare
guicassolato
approved these changes
Nov 16, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested with the following script:
kind create cluster --name authorino
# operator
make docker-build OPERATOR_IMAGE=authorino-operator:local
kind load docker-image authorino-operator:local --name authorino
kubectl create namespace authorino-operator
make install deploy OPERATOR_IMAGE=authorino-operator:local
kubectl create namespace myapp
# upstream
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/talker-api/talker-api-deploy.yaml
# authorino (without tls)
kubectl -n myapp apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
replicas: 1
clusterWide: false
listener:
tls:
enabled: false
oidcServer:
tls:
enabled: false
EOF
# envoy (without tls)
curl -L https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/overlays/notls/configmap.yaml | sed -E 's/authorino-authorization/authorino-authorino-authorization/g' | kubectl -n myapp apply -f -
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/base/envoy.yaml
# authconfig
kubectl -n myapp apply -f -<<EOF
apiVersion: authorino.3scale.net/v1beta1
kind: AuthConfig
metadata:
name: talker-api-protection
spec:
hosts:
- talker-api
identity:
- name: friends
apiKey:
labelSelectors:
group: friends
credentials:
in: authorization_header
keySelector: APIKEY
EOF
# consume
kubectl -n myapp apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
name: friend-1-api-key-1
labels:
authorino.3scale.net/managed-by: authorino
group: friends
stringData:
api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
type: Opaque
EOF
kubectl -n myapp port-forward deployment/envoy 8000:8000 &
curl -H 'Host: talker-api' -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://localhost:8000/hello
# tls certs
CURRENT_DIR=$PWD; AUTHORINO_DIR=$(mktemp -d); cd $AUTHORINO_DIR
git clone --depth 1 --branch main https://github.com/kuadrant/authorino.git && cd authorino
make cert-manager
make certs AUTHORINO_NAMESPACE=myapp
rm -rf $AUTHORINO_DIR; cd $CURRENT_DIR
# authorino (with tls)
kubectl -n myapp apply -f -<<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
replicas: 1
clusterWide: false
listener:
tls:
certSecretRef:
name: authorino-server-cert
oidcServer:
tls:
certSecretRef:
name: authorino-oidc-server-cert
EOF
# envoy (with tls)
curl -L https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/overlays/tls/configmap.yaml | sed -E 's/authorino-authorization/authorino-authorino-authorization/g' | kubectl -n myapp apply -f -
kubectl -n myapp apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/examples/envoy/base/envoy.yaml
kubectl -n myapp patch deployment/envoy -p '{"spec":{"template":{"spec":{"volumes":[{"name":"authorino-ca-cert","secret":{"defaultMode":420,"secretName":"authorino-ca-cert"}}],"containers":[{"name":"envoy","volumeMounts":[{"name":"authorino-ca-cert","subPath":"ca.crt","mountPath":"/etc/ssl/certs/authorino-ca-cert.crt","readOnly":true}]}]}}}}'
# consume
curl -H 'Host: talker-api' -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://localhost:8000/hello
# cleanup
kind delete cluster --name authorino
Works perfectly! Congratz and thank you, @jjaferson!
* Installs authorino CRDs and Clusterroles via manifest
jjaferson
force-pushed
the
foundation2
branch
from
November 17, 2021 09:29
e6d9d29
to
958fca8
Compare
guicassolato
approved these changes
Nov 17, 2021
eguzki
approved these changes
Nov 17, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job 🎖️
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is the starting point to enable the deployment of Authorino instances via the operator.
Ps.: missing unit testing
Verification steps
make install run