Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating environment setup #1126

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 93 additions & 30 deletions doc/user-guides/auth/auth-for-app-devs-and-platform-engineers.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Enforcing authentication & authorization with Kuadrant AuthPolicy

This guide walks you through the process of setting up a local Kubernetes cluster with Kuadrant where you will protect [Gateway API](https://gateway-api.sigs.k8s.io/) endpoints by declaring Kuadrant AuthPolicy custom resources.
This tutorial walks you through the process of setting up a local Kubernetes cluster with Kuadrant where you will protect [Gateway API](https://gateway-api.sigs.k8s.io/) endpoints by declaring Kuadrant AuthPolicy custom resources.

Three AuthPolicies will be declared:

Expand All @@ -14,7 +14,7 @@ Topology:
```
┌─────────────────────────┐
│ (Gateway) │ ┌───────────────┐
kuadrant-ingressgateway │◄──│ (AuthPolicy) │
external │◄──│ (AuthPolicy) │
│ │ │ gw-auth │
│ * │ └───────────────┘
└─────────────────────────┘
Expand All @@ -35,28 +35,92 @@ Topology:
└─────────────────┘
```

## Setup the environment
## Prerequisites

Follow this [setup doc](https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/install/install-make.md) to set up your environment before continuing with this doc.
- Kubernetes cluster with Kuadrant operator installed. See our [Getting Started](/getting-started) guide for more information.
- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) command line tool.

### Setup environment variables

Set the following environment variables used for convenience in this tutorial:

```bash
export KUADRANT_GATEWAY_NS=api-gateway # Namespace for the example Gateway
export KUADRANT_GATEWAY_NAME=external # Name for the example Gateway
export KUADRANT_DEVELOPER_NS=toystore # Namespace for an example toystore app

```

### Create an Ingress Gateway

Create the namespace the Gateway will be deployed in:

```bash
kubectl create ns ${KUADRANT_GATEWAY_NS}
```

Create a gateway using toystore as the listener hostname:

```sh
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: ${KUADRANT_GATEWAY_NAME}
namespace: ${KUADRANT_GATEWAY_NS}
labels:
kuadrant.io/gateway: "true"
spec:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
EOF
```

Check the status of the `Gateway` ensuring the gateway is Accepted and Programmed:

```bash
kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Programmed")].message}{"\n"}'
```

### Deploy the Toy Store sample application (Persona: _App developer_)


Create the namespace for the toystore API:

```bash
kubectl create ns ${KUADRANT_DEVELOPER_NS}
```
Deploy the Toy store
```sh
kubectl apply -f examples/toystore/toystore.yaml
kubectl apply -f examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS}
```

Create the Toy Store HTTPRoute
```bash

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: toystore
namespace: ${KUADRANT_DEVELOPER_NS}
labels:
app: toystore
spec:
parentRefs:
- name: kuadrant-ingressgateway
namespace: gateway-system
- name: ${KUADRANT_GATEWAY_NAME}
namespace: ${KUADRANT_GATEWAY_NS}
hostnames:
- api.toystore.com
rules:
- matches: # rule-1
- name: rule-1
matches:
- method: GET
path:
type: PathPrefix
Expand All @@ -68,7 +132,8 @@ spec:
backendRefs:
- name: toystore
port: 80
- matches: # rule-2
- name: rule-2
matches:
- path:
type: PathPrefix
value: "/admin"
Expand All @@ -81,25 +146,25 @@ EOF
Export the gateway hostname and port:

```sh
export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
export KUADRANT_INGRESS_HOST=$(kubectl get gtw ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o jsonpath='{.status.addresses[0].value}')
export KUADRANT_INGRESS_PORT=$(kubectl get gtw ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export KUADRANT_GATEWAY_URL=${KUADRANT_INGRESS_HOST}:${KUADRANT_INGRESS_PORT}
```

Send requests to the application unprotected:

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
curl -H 'Host: api.toystore.com' http://$KUADRANT_GATEWAY_URL/cars -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/dolls -i
curl -H 'Host: api.toystore.com' http://$KUADRANT_GATEWAY_URL/dolls -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/admin -i
curl -H 'Host: api.toystore.com' http://$KUADRANT_GATEWAY_URL/admin -i
# HTTP/1.1 200 OK
```

Expand All @@ -118,6 +183,7 @@ apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: toystore-authn
namespace: ${KUADRANT_DEVELOPER_NS}
spec:
targetRef:
group: gateway.networking.k8s.io
Expand All @@ -140,6 +206,7 @@ apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: toystore-admins
namespace: ${KUADRANT_DEVELOPER_NS}
spec:
targetRef:
group: gateway.networking.k8s.io
Expand Down Expand Up @@ -189,25 +256,25 @@ EOF
Send requests to the application protected by Kuadrant:

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
curl -H 'Host: api.toystore.com' http://$KUADRANT_GATEWAY_URL/cars -i
# HTTP/1.1 401 Unauthorized
# www-authenticate: APIKEY realm="api-key-authn"
# x-ext-auth-reason: credential not found
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/cars -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$KUADRANT_GATEWAY_URL/cars -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/admin -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$KUADRANT_GATEWAY_URL/admin -i
# HTTP/1.1 403 Forbidden
# x-ext-auth-reason: Unauthorized
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$GATEWAY_URL/admin -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$KUADRANT_GATEWAY_URL/admin -i
# HTTP/1.1 200 OK
```

Expand All @@ -216,16 +283,17 @@ curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$G
Create the policy:

```sh
kubectl -n gateway-system apply -f - <<EOF
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: gw-auth
namespace: ${KUADRANT_GATEWAY_NS}
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: kuadrant-ingressgateway
name: ${KUADRANT_GATEWAY_NAME}
defaults:
strategy: atomic
rules:
Expand Down Expand Up @@ -257,10 +325,11 @@ apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: other
namespace: ${KUADRANT_DEVELOPER_NS}
spec:
parentRefs:
- name: kuadrant-ingressgateway
namespace: gateway-system
- name: ${KUADRANT_GATEWAY_NAME}
namespace: ${KUADRANT_GATEWAY_NS}
hostnames:
- "*.other-apps.com"
EOF
Expand All @@ -269,7 +338,7 @@ EOF
Send requests to the route protected by the default policy set at the level of the gateway:

```sh
curl -H 'Host: foo.other-apps.com' http://$GATEWAY_URL/ -i
curl -H 'Host: foo.other-apps.com' http://$KUADRANT_GATEWAY_URL/ -i
# HTTP/1.1 403 Forbidden
# content-type: application/json
# x-ext-auth-reason: Unauthorized
Expand All @@ -280,9 +349,3 @@ curl -H 'Host: foo.other-apps.com' http://$GATEWAY_URL/ -i
# "message": "Access denied by default by the gateway operator. If you are the administrator of the service, create a specific auth policy for the route."
# }
```

## Cleanup

```sh
make local-cleanup
```
Loading
Loading