Remove JWKS-URI in API-gateway (#10)

* Remove JWKS-URI

* Fix typo

Makefile

@@ -18,11 +18,6 @@ ifndef OATHKEEPER_SVC_PORT
 override OATHKEEPER_SVC_PORT = change-me
 endif
 
-# https://example.com/.well-known/jwks.json
-ifndef JWKS_URI
-override JWKS_URI = change-me
-endif
-
 # kubernetes.default service.namespace
 ifndef SERVICE_BLOCKLIST
 override SERVICE_BLOCKLIST = change-me
@@ -119,7 +114,7 @@ build: generate fmt vet ## Build manager binary.
 
 .PHONY: run
 run: build
-	go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --jwks-uri=${JWKS_URI} --service-blocklist=${SERVICE_BLOCKLIST} --domain-allowlist=${DOMAIN_ALLOWLIST}
+	go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --service-blocklist=${SERVICE_BLOCKLIST} --domain-allowlist=${DOMAIN_ALLOWLIST}
 
 .PHONY: docker-build
 docker-build: pull-licenses test ## Build docker image with the manager.
@@ -268,7 +263,6 @@ patch-gen:
 		sed -e 's|OATHKEEPER_SVC_PORT|${OATHKEEPER_SVC_PORT}|g' |\
 		sed -e 's|SERVICE_BLOCKLIST|${SERVICE_BLOCKLIST}|g' |\
 		sed -e 's|DOMAIN_ALLOWLIST|${DOMAIN_ALLOWLIST}|g' |\
-		sed -e 's|JWKS_URI|${JWKS_URI}|g' |\
 		sed -e 's|CORS_ALLOW_ORIGINS|${CORS_ALLOW_ORIGINS}|g' |\
 		sed -e 's|CORS_ALLOW_METHODS|${CORS_ALLOW_METHODS}|g' |\
 		sed -e 's|CORS_ALLOW_HEADERS|${CORS_ALLOW_HEADERS}|g' > config/default/manager_args_patch.yaml

README.md

@@ -1,4 +1,4 @@
-# Api-Gateway Controller
+# API-Gateway Controller
 
 ## Overview
 
@@ -20,7 +20,7 @@ Deploys the officially released Controller version to the cluster
 
 - ensure the access to a Kubernetes cluster is configured in `~/.kube/config`
 - `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
 - `make deploy` to deploy controller
 
 ### Run the controller locally
@@ -29,8 +29,8 @@ This procedure is the fastest way to run the Controller, useful for development
 
 - start Minikube or ensure the access to a Kubernetes cluster is configured in `~/.kube/config`
 - `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
-- `go run main.go --jwks-uri="$JWKS_URI" --oathkeeper-svc-address="$OATHKEEPER_SVC_ADDRESS" --oathkeeper-svc-port=$OATHKEEPER_SVC_PORT --domain-allowlist=$DOMAIN_ALLOWLIST`
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
+- `go run main.go --oathkeeper-svc-address="$OATHKEEPER_SVC_ADDRESS" --oathkeeper-svc-port=$OATHKEEPER_SVC_PORT --domain-allowlist=$DOMAIN_ALLOWLIST`
 
 ### Deploy a custom Controller build to the local Minikube cluster
 
@@ -41,7 +41,7 @@ This procedure is useful to test your own Controller build end-to-end in a local
 - `eval $(minikube docker-env)`
 - `make build-image` to put the docker image inside running Minikube
 - `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
 - `make deploy-dev` to deploy controller
 
 ### Use command-line flags
@@ -51,7 +51,6 @@ This procedure is useful to test your own Controller build end-to-end in a local
 | **oathkeeper-svc-address** | YES | Ory oathkeeper-proxy service address. | `ory-oathkeeper-proxy.kyma-system.svc.cluster.local` |
 | **oathkeeper-svc-port** | YES | Ory oathkeeper-proxy service port. | `4455` |
 | **metrics-addr** | NO | The address the metric endpoint binds to. | `:8080` |
-| **jwks-uri** | YES | Default jwksUri in the Policy. | any string |
 | **enable-leader-election** | YES | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | any string |
 | **service-blocklist** | NO | List of services to be blocklisted. | `kubernetes.default` <br> `kube-dns.kube-system` |
 | **domain-allowlist** | NO | List of domains that can be exposed. All domains are allowed if empty | `kyma.local` <br> `foo.bar` |
@@ -106,8 +105,8 @@ This table lists all the possible parameters of a given resource together with t
 | **spec.service.name**, **spec.service.port** | **NO** | Specifies the name and the communication port of the exposed service. |
 | **spec.service.host** | **NO** | Specifies the service's communication address for inbound external traffic. If only the leftmost label is provided, the default domain name will be used. |
 | **spec.rules** | **YES** | Specifies array of rules. |
-| **spec.rules.service.name** | **NO** | Specifies service name for the path. The services overrites the one on spec.service. |
-| **spec.rules.service.port** | **NO** | Specifies service port for the path. The services overrites the one on spec.service. |
+| **spec.rules.service.name** | **NO** | Specifies service name for the path. The services overrides the one on spec.service. |
+| **spec.rules.service.port** | **NO** | Specifies service port for the path. The services overrides the one on spec.service. |
 | **spec.rules.path** | **YES** | Specifies the path of the exposed service. |
 | **spec.rules.methods** | **YES** | Specifies the list of HTTP request methods available for **spec.rules.path**. |
 | **spec.rules.mutators** | **NO** | Specifies array of [Oathkeeper mutators](https://www.ory.sh/docs/oathkeeper/pipeline/mutator). |

config/default/manager_args_patch.yaml

@@ -11,7 +11,6 @@ spec:
         args:
           - --oathkeeper-svc-address=change-me
           - --oathkeeper-svc-port=change-me
-          - --jwks-uri=change-me
           - --service-blocklist=kubernetes.default,service.namespace
           - --domain-allowlist=kyma.local
           - --cors-allow-origins=regex:.*

config/default/manager_args_patch.yaml.tmpl

@@ -11,7 +11,6 @@ spec:
         args:
           - --oathkeeper-svc-address=OATHKEEPER_SVC_ADDRESS
           - --oathkeeper-svc-port=OATHKEEPER_SVC_PORT
-          - --jwks-uri=JWKS_URI
           - --service-blocklist=SERVICE_BLOCKLIST
           - --domain-allowlist=DOMAIN_ALLOWLIST
           - --cors-allow-origins=CORS_ALLOW_ORIGINS

controllers/apirule_controller.go

@@ -43,7 +43,6 @@ type APIRuleReconciler struct {
 	Log                    logr.Logger
 	OathkeeperSvc          string
 	OathkeeperSvcPort      uint32
-	JWKSURI                string
 	CorsConfig             *processing.CorsConfig
 	GeneratedObjectsLabels map[string]string
 	ServiceBlockList       map[string][]string
@@ -103,7 +102,7 @@ func (r *APIRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		}
 
 		//2) Compute list of required objects (the set of objects required to satisfy our contract on apiRule.Spec, not yet applied)
-		factory := processing.NewFactory(r.Client, r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.JWKSURI, r.CorsConfig, r.GeneratedObjectsLabels, r.DefaultDomainName)
+		factory := processing.NewFactory(r.Client, r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.CorsConfig, r.GeneratedObjectsLabels, r.DefaultDomainName)
 		requiredObjects := factory.CalculateRequiredState(api)
 
 		//3.1 Fetch all existing objects related to _this_ apiRule from the cluster (VS, Rules)

internal/processing/processing.go

@@ -28,20 +28,18 @@ type Factory struct {
 	Log               logr.Logger
 	oathkeeperSvc     string
 	oathkeeperSvcPort uint32
-	JWKSURI           string
 	corsConfig        *CorsConfig
 	additionalLabels  map[string]string
 	defaultDomainName string
 }
 
 //NewFactory .
-func NewFactory(client client.Client, logger logr.Logger, oathkeeperSvc string, oathkeeperSvcPort uint32, jwksURI string, corsConfig *CorsConfig, additionalLabels map[string]string, defaultDomainName string) *Factory {
+func NewFactory(client client.Client, logger logr.Logger, oathkeeperSvc string, oathkeeperSvcPort uint32, corsConfig *CorsConfig, additionalLabels map[string]string, defaultDomainName string) *Factory {
 	return &Factory{
 		client:            client,
 		Log:               logger,
 		oathkeeperSvc:     oathkeeperSvc,
 		oathkeeperSvcPort: oathkeeperSvcPort,
-		JWKSURI:           jwksURI,
 		corsConfig:        corsConfig,
 		additionalLabels:  additionalLabels,
 		defaultDomainName: defaultDomainName,

internal/processing/processing_test.go

@@ -84,7 +84,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				vs := desiredState.virtualService
@@ -144,7 +144,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				vs := desiredState.virtualService
@@ -184,7 +184,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				vs := desiredState.virtualService
@@ -248,7 +248,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				vs := desiredState.virtualService
@@ -391,7 +391,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				vs := desiredState.virtualService
@@ -511,7 +511,7 @@ var _ = Describe("Factory", func() {
 					apiRule := getAPIRuleFor(rules)
 					apiRule.Spec.Host = &serviceHostWithNoDomain
 
-					f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+					f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 					desiredState := f.CalculateRequiredState(apiRule)
 					vs := desiredState.virtualService
@@ -550,7 +550,7 @@ var _ = Describe("Factory", func() {
 				apiRule := getAPIRuleFor(rules)
 				expectedNoopRuleMatchURL := fmt.Sprintf("<http|https>://%s<%s>", serviceHost, apiPath)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				actualState := &State{}
@@ -597,7 +597,7 @@ var _ = Describe("Factory", func() {
 
 				apiRule := getAPIRuleFor(rules)
 
-				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+				f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
 
 				desiredState := f.CalculateRequiredState(apiRule)
 				oauthNoopRuleMatchURL := fmt.Sprintf("<http|https>://%s<%s>", serviceHost, oauthAPIPath)

main.go

@@ -75,7 +75,6 @@ func main() {
 	var metricsAddr string
 	var healthProbeAddr string
 	var enableLeaderElection bool
-	var jwksURI string
 	var oathkeeperSvcAddr string
 	var oathkeeperSvcPort uint
 	var blockListedServices string
@@ -90,7 +89,6 @@ func main() {
 	flag.UintVar(&oathkeeperSvcPort, "oathkeeper-svc-port", 0, "Oathkeeper proxy service port")
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&healthProbeAddr, "health-probe-addr", ":8081", "The address the health probe endpoint binds to.")
-	flag.StringVar(&jwksURI, "jwks-uri", "", "URL of the provider's public key set to validate signature of the JWT")
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
 	flag.StringVar(&blockListedServices, "service-blocklist", "kubernetes.default,kube-dns.kube-system", "List of services to be blocklisted from exposure.")
@@ -105,10 +103,6 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
-	if jwksURI == "" {
-		setupLog.Error(fmt.Errorf("jwks-uri required, but not supplied"), "unable to create controller", "controller", "Api")
-		os.Exit(1)
-	}
 	if oathkeeperSvcAddr == "" {
 		setupLog.Error(fmt.Errorf("oathkeeper-svc-address can't be empty"), "unable to create controller", "controller", "Api")
 		os.Exit(1)
@@ -165,7 +159,6 @@ func main() {
 		Log:               ctrl.Log.WithName("controllers").WithName("Api"),
 		OathkeeperSvc:     oathkeeperSvcAddr,
 		OathkeeperSvcPort: uint32(oathkeeperSvcPort),
-		JWKSURI:           jwksURI,
 		ServiceBlockList:  getNamespaceServiceMap(blockListedServices),
 		DomainAllowList:   getList(allowListedDomains),
 		HostBlockList:     getHostBlockListFrom(blockListedSubdomains, domainName),