feat: remove AuthenticationFilter in favor of SecurityPolicy (#2086)

remove Authenticationfilter in favor of SecurityPolicy fix e2e fix test and add policies to egctl translate command add docs for jwt remove crd clear docs address comments update security policy status fix e2e test Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Oct 27, 2023 · 364710f · 364710f
1 parent 845e874
commit 364710f
Show file tree

Hide file tree

Showing 104 changed files with 331 additions and 5,340 deletions.
diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go
@@ -0,0 +1,24 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
+type CORS struct {
+	// AllowOrigins defines the origins that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowOrigins []StringMatch `json:"allowOrigins,omitempty" yaml:"allowOrigins"`
+	// AllowMethods defines the methods that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods"`
+	// AllowHeaders defines the headers that are allowed to be sent with requests.
+	AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"`
+	// ExposeHeaders defines the headers that can be exposed in the responses.
+	ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
+	// MaxAge defines how long the results of a preflight request can be cached.
+	MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
+}
diff --git a/api/v1alpha1/authenticationfilter_types.go → api/v1alpha1/jwt_types.go b/api/v1alpha1/authenticationfilter_types.go → api/v1alpha1/jwt_types.go
@@ -5,72 +5,22 @@
 
 package v1alpha1
 
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
+// JWT defines the configuration for JSON Web Token (JWT) authentication.
+type JWT struct {
 
-const (
-	// KindAuthenticationFilter is the name of the AuthenticationFilter kind.
-	KindAuthenticationFilter = "AuthenticationFilter"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
-
-type AuthenticationFilter struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec defines the desired state of the AuthenticationFilter type.
-	Spec AuthenticationFilterSpec `json:"spec"`
-
-	// Note: The status sub-resource has been excluded but may be added in the future.
-}
-
-// ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
-type ClaimToHeader struct {
-
-	// Header defines the name of the HTTP request header that the JWT Claim will be saved into.
-	Header string `json:"header"`
-
-	// Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
-	// (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
-	// to separate the JSON name path.
-	Claim string `json:"claim"`
-}
-
-// AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
-// +union
-type AuthenticationFilterSpec struct {
-	// Type defines the type of authentication provider to use. Supported provider types
-	// are "JWT".
+	// Providers defines the JSON Web Token (JWT) authentication provider type.
 	//
-	// +unionDiscriminator
-	Type AuthenticationFilterType `json:"type"`
-
-	// JWT defines the JSON Web Token (JWT) authentication provider type. When multiple
-	// jwtProviders are specified, the JWT is considered valid if any of the providers
-	// successfully validate the JWT. For additional details, see
-	// https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
+	// When multiple JWT providers are specified, the JWT is considered valid if
+	// any of the providers successfully validate the JWT. For additional details,
+	// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
 	//
+	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=4
-	// +optional
-	JwtProviders []JwtAuthenticationFilterProvider `json:"jwtProviders,omitempty"`
+	Providers []JWTProvider `json:"providers"`
 }
 
-// AuthenticationFilterType is a type of authentication provider.
-// +kubebuilder:validation:Enum=JWT
-type AuthenticationFilterType string
-
-const (
-	// JwtAuthenticationFilterProviderType is a provider that uses JSON Web Token (JWT)
-	// for authenticating requests..
-	JwtAuthenticationFilterProviderType AuthenticationFilterType = "JWT"
-)
-
-// JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type
-// and how JWTs should be verified:
-type JwtAuthenticationFilterProvider struct {
+// JWTProvider defines how a JSON Web Token (JWT) can be verified.
+type JWTProvider struct {
 	// Name defines a unique name for the JWT provider. A name can have a variety of forms,
 	// including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
 	//
@@ -120,15 +70,14 @@ type RemoteJWKS struct {
 	// TODO: Add TBD remote JWKS fields based on defined use cases.
 }
 
-//+kubebuilder:object:root=true
+// ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
+type ClaimToHeader struct {
 
-// AuthenticationFilterList contains a list of AuthenticationFilter.
-type AuthenticationFilterList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []AuthenticationFilter `json:"items"`
-}
+	// Header defines the name of the HTTP request header that the JWT Claim will be saved into.
+	Header string `json:"header"`
 
-func init() {
-	SchemeBuilder.Register(&AuthenticationFilter{}, &AuthenticationFilterList{})
+	// Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
+	// (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
+	// to separate the JSON name path.
+	Claim string `json:"claim"`
 }
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -54,114 +54,6 @@ type SecurityPolicySpec struct {
 	JWT *JWT `json:"jwt,omitempty"`
 }
 
-// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
-type CORS struct {
-	// AllowOrigins defines the origins that are allowed to make requests.
-	// +kubebuilder:validation:MinItems=1
-	AllowOrigins []StringMatch `json:"allowOrigins,omitempty" yaml:"allowOrigins"`
-	// AllowMethods defines the methods that are allowed to make requests.
-	// +kubebuilder:validation:MinItems=1
-	AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods"`
-	// AllowHeaders defines the headers that are allowed to be sent with requests.
-	AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"`
-	// ExposeHeaders defines the headers that can be exposed in the responses.
-	ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
-	// MaxAge defines how long the results of a preflight request can be cached.
-	MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
-}
-
-// JWT defines the configuration for JSON Web Token (JWT) authentication.
-type JWT struct {
-
-	// Providers defines the JSON Web Token (JWT) authentication provider type.
-	//
-	// When multiple JWT providers are specified, the JWT is considered valid if
-	// any of the providers successfully validate the JWT. For additional details,
-	// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
-	//
-	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=4
-	Providers []JWTProvider `json:"providers"`
-}
-
-// JWTProvider defines how a JSON Web Token (JWT) can be verified.
-type JWTProvider struct {
-	// Name defines a unique name for the JWT provider. A name can have a variety of forms,
-	// including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
-	//
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=253
-	Name string `json:"name"`
-
-	// Issuer is the principal that issued the JWT and takes the form of a URL or email address.
-	// For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
-	// URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
-	// the JWT issuer is not checked.
-	//
-	// +kubebuilder:validation:MaxLength=253
-	// +optional
-	Issuer string `json:"issuer,omitempty"`
-
-	// Audiences is a list of JWT audiences allowed access. For additional details, see
-	// https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
-	// are not checked.
-	//
-	// +kubebuilder:validation:MaxItems=8
-	// +optional
-	Audiences []string `json:"audiences,omitempty"`
-
-	// RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
-	// HTTP/HTTPS endpoint.
-	RemoteJWKS RemoteJWKS `json:"remoteJWKS"`
-
-	// ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
-	// For examples, following config:
-	// The claim must be of type; string, int, double, bool. Array type claims are not supported
-	//
-	ClaimToHeaders []ClaimToHeader `json:"claimToHeaders,omitempty"`
-	// TODO: Add TBD JWT fields based on defined use cases.
-}
-
-// StringMatch defines how to match any strings.
-// This is a general purpose match condition that can be used by other EG APIs
-// that need to match against a string.
-type StringMatch struct {
-	// Type specifies how to match against a string.
-	//
-	// +optional
-	// +kubebuilder:default=Exact
-	Type *MatchType `json:"type,omitempty"`
-
-	// Value specifies the string value that the match must have.
-	//
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=1024
-	Value string `json:"value"`
-}
-
-// MatchType specifies the semantics of how a string value should be compared.
-// Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression".
-//
-// +kubebuilder:validation:Enum=Exact;Prefix;Suffix;RegularExpression
-type MatchType string
-
-const (
-	// MatchExact :the input string must match exactly the match value.
-	MatchExact MatchType = "Exact"
-
-	// MatchPrefix :the input string must start with the match value.
-	MatchPrefix MatchType = "Prefix"
-
-	// MatchSuffix :the input string must end with the match value.
-	MatchSuffix MatchType = "Suffix"
-
-	// MatchRegularExpression :The input string must match the regular expression
-	// specified in the match value.
-	// The regex string must adhere to the syntax documented in
-	// https://github.com/google/re2/wiki/Syntax.
-	MatchRegularExpression MatchType = "RegularExpression"
-)
-
 // SecurityPolicyStatus defines the state of SecurityPolicy
 type SecurityPolicyStatus struct {
 	// Conditions describe the current conditions of the SecurityPolicy.

diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
@@ -235,3 +235,43 @@ const (
 	XDSHTTPListener XDSTranslatorHook = "HTTPListener"
 	XDSTranslation  XDSTranslatorHook = "Translation"
 )
+
+// StringMatch defines how to match any strings.
+// This is a general purpose match condition that can be used by other EG APIs
+// that need to match against a string.
+type StringMatch struct {
+	// Type specifies how to match against a string.
+	//
+	// +optional
+	// +kubebuilder:default=Exact
+	Type *MatchType `json:"type,omitempty"`
+
+	// Value specifies the string value that the match must have.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Value string `json:"value"`
+}
+
+// MatchType specifies the semantics of how a string value should be compared.
+// Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression".
+//
+// +kubebuilder:validation:Enum=Exact;Prefix;Suffix;RegularExpression
+type MatchType string
+
+const (
+	// MatchExact :the input string must match exactly the match value.
+	MatchExact MatchType = "Exact"
+
+	// MatchPrefix :the input string must start with the match value.
+	MatchPrefix MatchType = "Prefix"
+
+	// MatchSuffix :the input string must end with the match value.
+	MatchSuffix MatchType = "Suffix"
+
+	// MatchRegularExpression :The input string must match the regular expression
+	// specified in the match value.
+	// The regex string must adhere to the syntax documented in
+	// https://github.com/google/re2/wiki/Syntax.
+	MatchRegularExpression MatchType = "RegularExpression"
+)