Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add downstream mTLS support #1857

Merged
merged 15 commits into from
Jan 10, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add webhook for Authentication CR
  • Loading branch information
sgayangi committed Jan 9, 2024
commit 86f9291527e79897e3248c5ee4fd5ec51bd7bdcf
40 changes: 40 additions & 0 deletions adapter/internal/operator/config/webhook/manifests.yaml
Original file line number Diff line number Diff line change
@@ -45,6 +45,26 @@ webhooks:
resources:
- apipolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /mutate-dp-wso2-com-v1alpha1-authentication
failurePolicy: Fail
name: mauthentication.kb.io
rules:
- apiGroups:
- dp.wso2.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- authentications
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
@@ -172,6 +192,26 @@ webhooks:
resources:
- apipolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-dp-wso2-com-v1alpha1-authentication
failurePolicy: Fail
name: vauthentication.kb.io
rules:
- apiGroups:
- dp.wso2.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- authentications
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
Original file line number Diff line number Diff line change
@@ -64,6 +64,26 @@ webhooks:
resources:
- apipolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /mutate-dp-wso2-com-v1alpha1-authentication
failurePolicy: Fail
name: mauthentication.kb.io
rules:
- apiGroups:
- dp.wso2.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- authentications
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
@@ -210,6 +230,26 @@ webhooks:
resources:
- apipolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-dp-wso2-com-v1alpha1-authentication
failurePolicy: Fail
name: vauthentication.kb.io
rules:
- apiGroups:
- dp.wso2.com
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- authentications
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
5 changes: 5 additions & 0 deletions common-controller/internal/operator/operator.go
Original file line number Diff line number Diff line change
@@ -121,6 +121,11 @@ func InitOperator() {
"Unable to create webhook for APIPolicy, error: %v", err))
}

if err = (&dpv1alpha1.Authentication{}).SetupWebhookWithManager(mgr); err != nil {
loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2638, logging.MAJOR,
"Unable to create webhook for Authentication, error: %v", err))
}

if err = (&dpv1alpha1.InterceptorService{}).SetupWebhookWithManager(mgr); err != nil {
loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2652, logging.MAJOR,
"Unable to create webhook for InterceptorService, error: %v", err))
4 changes: 4 additions & 0 deletions common-go-libs/PROJECT
Original file line number Diff line number Diff line change
@@ -31,6 +31,10 @@ resources:
kind: Authentication
path: github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1
version: v1alpha1
webhooks:
defaulting: true
validation: true
webhookVersion: v1
- api:
crdVersion: v1
namespaced: true
File renamed without changes.
112 changes: 112 additions & 0 deletions common-go-libs/apis/dp/v1alpha1/authentication_webhook.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
/*
* Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

package v1alpha1

import (
"strings"

constants "github.com/wso2/apk/common-go-libs/constants"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/validation/field"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)

// SetupWebhookWithManager creates a new webhook builder for Authentication
func (r *Authentication) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
Complete()
}

// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!

//+kubebuilder:webhook:path=/mutate-dp-wso2-com-v1alpha1-authentication,mutating=true,failurePolicy=fail,sideEffects=None,groups=dp.wso2.com,resources=authentications,verbs=create;update,versions=v1alpha1,name=mauthentication.kb.io,admissionReviewVersions=v1

var _ webhook.Defaulter = &Authentication{}

// Default implements webhook.Defaulter so a webhook will be registered for the type
func (r *Authentication) Default() {
// TODO(user): fill in your defaulting logic.
}

// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
//+kubebuilder:webhook:path=/validate-dp-wso2-com-v1alpha1-authentication,mutating=false,failurePolicy=fail,sideEffects=None,groups=dp.wso2.com,resources=authentications,verbs=create;update,versions=v1alpha1,name=vauthentication.kb.io,admissionReviewVersions=v1

var _ webhook.Validator = &Authentication{}

// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (r *Authentication) ValidateCreate() (admission.Warnings, error) {
// TODO(user): fill in your validation logic upon object creation.
return nil, r.ValidateAuthentication()
}

// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
func (r *Authentication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
return nil, r.ValidateAuthentication()
}

// ValidateAuthentication validates the Authentication
func (r *Authentication) ValidateAuthentication() error {
var allErrs field.ErrorList
isOAuthDisabled := false
isMTLSMandatory := false
isMTLSDisabled := false

if r.Spec.TargetRef.Name == "" {
allErrs = append(allErrs, field.Required(field.NewPath("spec").Child("targetRef").Child("name"), "Name is required"))
}
if !(r.Spec.TargetRef.Kind == constants.KindAPI || r.Spec.TargetRef.Kind == constants.KindResource) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("targetRef").Child("kind"), r.Spec.TargetRef.Kind,
"Invalid Kind is provided"))
}

if r.Spec.Default != nil && r.Spec.Default.Disabled != nil && r.Spec.Default.AuthTypes != nil && r.Spec.Default.AuthTypes.MutualSSL != nil {
isOAuthDisabled = r.Spec.Default.AuthTypes.Oauth2.Disabled
isMTLSMandatory = strings.ToLower(r.Spec.Default.AuthTypes.MutualSSL.Required) == "mandatory"
isMTLSDisabled = r.Spec.Default.AuthTypes.MutualSSL.Disabled
if isOAuthDisabled && (!isMTLSMandatory || isMTLSDisabled) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("authTypes"), r.Spec.Default.AuthTypes,
"invalid authentication configuration - one of mTLS or OAuth2 must be enabled and mandatory"))
}
} else if r.Spec.Override != nil && r.Spec.Override.Disabled != nil && r.Spec.Override.AuthTypes != nil && r.Spec.Override.AuthTypes.MutualSSL != nil {
isOAuthDisabled = r.Spec.Override.AuthTypes.Oauth2.Disabled
isMTLSMandatory = strings.ToLower(r.Spec.Override.AuthTypes.MutualSSL.Required) == "mandatory"
isMTLSDisabled = r.Spec.Override.AuthTypes.MutualSSL.Disabled
if isOAuthDisabled && (!isMTLSMandatory || isMTLSDisabled) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("override").Child("authTypes").Child("authTypes"), r.Spec.Override.AuthTypes,
"invalid authentication configuration - one of mTLS or OAuth2 must be enabled and mandatory"))
}
}

if len(allErrs) > 0 {
return apierrors.NewInvalid(
schema.GroupKind{Group: "dp.wso2.com", Kind: "Authentication"},
r.Name, allErrs)
}
return nil
}

// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (r *Authentication) ValidateDelete() (admission.Warnings, error) {
// TODO(user): fill in your validation logic upon object deletion.
return nil, nil
}
3 changes: 3 additions & 0 deletions common-go-libs/apis/dp/v1alpha1/webhook_suite_test.go
Original file line number Diff line number Diff line change
@@ -118,6 +118,9 @@ var _ = BeforeSuite(func() {
err = (&BackendJWT{}).SetupWebhookWithManager(mgr)
Expect(err).NotTo(HaveOccurred())

err = (&Authentication{}).SetupWebhookWithManager(mgr)
Expect(err).NotTo(HaveOccurred())

//+kubebuilder:scaffold:webhook

go func() {
128 changes: 128 additions & 0 deletions common-go-libs/config/crd/bases/dp.wso2.com_authentications.yaml
Original file line number Diff line number Diff line change
@@ -67,6 +67,70 @@ spec:
type: object
nullable: true
type: array
mtls:
description: MutualSSL is to specify the features and certificates
for mutual SSL
properties:
certificatesInline:
description: CertificatesInline is the Inline Certificate
entry
items:
type: string
type: array
configMapRefs:
description: ConfigMapRefs denotes the reference to the
ConfigMap that contains the Certificate
items:
description: RefConfig holds a config for a secret or
a configmap
properties:
key:
description: Key of the secret or configmap
minLength: 1
type: string
name:
description: Name of the secret or configmap
minLength: 1
type: string
required:
- key
- name
type: object
type: array
disabled:
default: false
description: Disabled is to disable mTLS authentication
type: boolean
required:
description: Required indicates whether mutualSSL is mandatory
or optional
enum:
- mandatory
- optional
type: string
secretRefs:
description: SecretRefs denotes the reference to the Secret
that contains the Certificate
items:
description: RefConfig holds a config for a secret or
a configmap
properties:
key:
description: Key of the secret or configmap
minLength: 1
type: string
name:
description: Name of the secret or configmap
minLength: 1
type: string
required:
- key
- name
type: object
type: array
required:
- required
type: object
oauth2:
description: Oauth2 is to specify the Oauth2 authentication
scheme details
@@ -138,6 +202,70 @@ spec:
type: object
nullable: true
type: array
mtls:
description: MutualSSL is to specify the features and certificates
for mutual SSL
properties:
certificatesInline:
description: CertificatesInline is the Inline Certificate
entry
items:
type: string
type: array
configMapRefs:
description: ConfigMapRefs denotes the reference to the
ConfigMap that contains the Certificate
items:
description: RefConfig holds a config for a secret or
a configmap
properties:
key:
description: Key of the secret or configmap
minLength: 1
type: string
name:
description: Name of the secret or configmap
minLength: 1
type: string
required:
- key
- name
type: object
type: array
disabled:
default: false
description: Disabled is to disable mTLS authentication
type: boolean
required:
description: Required indicates whether mutualSSL is mandatory
or optional
enum:
- mandatory
- optional
type: string
secretRefs:
description: SecretRefs denotes the reference to the Secret
that contains the Certificate
items:
description: RefConfig holds a config for a secret or
a configmap
properties:
key:
description: Key of the secret or configmap
minLength: 1
type: string
name:
description: Name of the secret or configmap
minLength: 1
type: string
required:
- key
- name
type: object
type: array
required:
- required
type: object
oauth2:
description: Oauth2 is to specify the Oauth2 authentication
scheme details
Loading