Enable GW JWT Tests (#3097)

* kind of running

* WIP

* Unskip test and setup so it works correctly

* revert typo

* Move tokens into constants

* Adds test scenario for adding a second gateway policy to a gateway, should and will fail

* linter

* Add case for multiple routes on listener with only one defining JWT
configuration

* Multiple routes referencing the same external ref

* Add check for route referencing route extension outside of local
namespace failing

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/api-gateway.yaml

@@ -9,11 +9,17 @@ spec:
   gatewayClassName: gateway-class
   listeners:
   - protocol: HTTP
-    port: 8080
+    port: 8081
     name: http-auth
     allowedRoutes:
       namespaces:
         from: "All"
+  - protocol: HTTP
+    port: 8082
+    name: http-invalid-attach
+    allowedRoutes:
+      namespaces:
+        from: "All"
   - protocol: HTTP
     port: 80
     name: http

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/external-ref-other-ns.yaml

@@ -0,0 +1,16 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: RouteAuthFilter
+metadata:
+  name: route-jwt-auth-filter-other
+  namespace: other
+spec:
+  jwt:
+    providers:
+    - name: "local"
+      verifyClaims:
+      - path:
+          - role
+        value: doctor

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/extraGatewayPolicy/extra-gateway-policy.yaml

@@ -0,0 +1,25 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+# This is used to show that a gateway cannot have more than one gateway policy attached to it
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: GatewayPolicy
+metadata:
+  name: bad-policy
+spec:
+  targetRef:
+    name: gateway
+    sectionName: http-auth
+    group: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+  override:
+    jwt:
+      providers:
+      - name: "local"
+  default:
+    jwt:
+      providers:
+      - name: "local"
+        verifyClaims:
+        - path:
+            - role
+          value: pet

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/extraGatewayPolicy/kustomization.yaml

@@ -0,0 +1,7 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- extra-gateway-policy.yaml

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/gateway-policy.yaml

@@ -2,26 +2,24 @@
 # SPDX-License-Identifier: MPL-2.0
 
 apiVersion: consul.hashicorp.com/v1alpha1
-kind: ConsulGatewayPolicy
+kind: GatewayPolicy
 metadata:
   name: my-policy
 spec:
   targetRef:
     name: gateway
+    sectionName: http-auth
+    group: gateway.networking.k8s.io/v1beta1
     kind: Gateway
-    group: gateway.networking.kuberenetes.io
-    sectionName: http
   override:
-    Providers:
-    - Provider: "local"
-      VerifyClaims:
-      - Path:
-        - "iss"
-        Value: "local"
+    jwt:
+      providers:
+      - name: "local"
   default:
-    Providers:
-    - Provider: "local"
-      VerifyClaims:
-      - Path:
-        - "iss"
-        Value: "local"
+    jwt:
+      providers:
+      - name: "local"
+        verifyClaims:
+        - path:
+            - role
+          value: pet

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/httproute-auth.yaml

@@ -16,17 +16,17 @@ spec:
           value: "/admin"
       backendRefs:
         - name: static-server
-          port: 80
+          port: 8080
       filters:
       - type: ExtensionRef
         extensionRef:
           group: consul.hashicorp.com
-          kind: HTTPRouteAuthFilter
+          kind: RouteAuthFilter
           name: route-jwt-auth-filter
     - matches:
       - path:
           type: PathPrefix
           value: "/pet"
       backendRefs:
         - name: static-server
-          port: 80
+          port: 8080

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/httproute-invalid-external-ref.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-route-auth-invalid
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http-invalid-attach
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/admin"
+      backendRefs:
+        - name: static-server
+          port: 8080
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: consul.hashicorp.com
+          kind: RouteAuthFilter
+          name: route-jwt-auth-filter-other
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/pet"
+      backendRefs:
+        - name: static-server
+          port: 8080

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/httproute-no-auth-on-auth-listener.yaml

@@ -0,0 +1,26 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-route-no-auth-on-auth-listener
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http-auth
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/admin-no-auth"
+      backendRefs:
+        - name: static-server
+          port: 8080
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/pet-no-auth"
+      backendRefs:
+        - name: static-server
+          port: 8080

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/httproute.yaml

@@ -16,4 +16,4 @@ spec:
           value: "/v1"
       backendRefs:
       - name: static-server
-        port: 80
+        port: 8080

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/httproute2-auth.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: http-route2-auth
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http-auth
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/admin-2"
+      backendRefs:
+        - name: static-server
+          port: 8080
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: consul.hashicorp.com
+          kind: RouteAuthFilter
+          name: route-jwt-auth-filter
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/pet-2"
+      backendRefs:
+        - name: static-server
+          port: 8080

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/jwt-route-filter.yaml

@@ -2,14 +2,14 @@
 # SPDX-License-Identifier: MPL-2.0
 
 apiVersion: consul.hashicorp.com/v1alpha1
-kind: HTTPRouteAuthFilter
+kind: RouteAuthFilter
 metadata:
-  name: example-route-jwt-filter
+  name: route-jwt-auth-filter
 spec:
-  type: JWT
-  JWTProviders:
-  - Provider: "local"
-    VerifyClaims:
-    - Path:
-      - "role"
-      Value: "doctor"
+  jwt:
+    providers:
+    - name: "local"
+      verifyClaims:
+      - path:
+          - role
+        value: doctor

acceptance/tests/fixtures/cases/api-gateways/jwt-auth/kustomization.yaml

@@ -1,14 +1,20 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 
 resources:
 - ../../../bases/api-gateway
 - ../../static-server-inject
-- ./httproute.yaml
-- ./jwt-provider.yaml
+- httproute-auth.yaml
+- httproute-invalid-external-ref.yaml
+- httproute2-auth.yaml
+- httproute-no-auth-on-auth-listener.yaml
+- jwt-provider.yaml
+- jwt-route-filter.yaml
+- gateway-policy.yaml
+
 
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
 patches:
-- patch: httproute-no-auth.yaml
+- path: httproute.yaml
 - path: api-gateway.yaml