From f73d7a77e1f1e81b784b63d8878ab9999edc6115 Mon Sep 17 00:00:00 2001
From: Bartosz Chwila <103247439+barchw@users.noreply.github.com>
Date: Tue, 30 Aug 2022 08:57:49 +0200
Subject: [PATCH] Remove JWKS-URI in API-gateway (#10)
* Remove JWKS-URI
* Fix typo
---
Makefile | 8 +-------
README.md | 15 +++++++--------
config/default/manager_args_patch.yaml | 1 -
config/default/manager_args_patch.yaml.tmpl | 1 -
controllers/apirule_controller.go | 3 +--
internal/processing/processing.go | 4 +---
internal/processing/processing_test.go | 16 ++++++++--------
main.go | 7 -------
8 files changed, 18 insertions(+), 37 deletions(-)
diff --git a/Makefile b/Makefile
index b7662f5a2..f50a0b75a 100644
--- a/Makefile
+++ b/Makefile
@@ -18,11 +18,6 @@ ifndef OATHKEEPER_SVC_PORT
override OATHKEEPER_SVC_PORT = change-me
endif
-# https://example.com/.well-known/jwks.json
-ifndef JWKS_URI
-override JWKS_URI = change-me
-endif
-
# kubernetes.default service.namespace
ifndef SERVICE_BLOCKLIST
override SERVICE_BLOCKLIST = change-me
@@ -119,7 +114,7 @@ build: generate fmt vet ## Build manager binary.
.PHONY: run
run: build
- go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --jwks-uri=${JWKS_URI} --service-blocklist=${SERVICE_BLOCKLIST} --domain-allowlist=${DOMAIN_ALLOWLIST}
+ go run . --oathkeeper-svc-address=${OATHKEEPER_SVC_ADDRESS} --oathkeeper-svc-port=${OATHKEEPER_SVC_PORT} --service-blocklist=${SERVICE_BLOCKLIST} --domain-allowlist=${DOMAIN_ALLOWLIST}
.PHONY: docker-build
docker-build: pull-licenses test ## Build docker image with the manager.
@@ -268,7 +263,6 @@ patch-gen:
sed -e 's|OATHKEEPER_SVC_PORT|${OATHKEEPER_SVC_PORT}|g' |\
sed -e 's|SERVICE_BLOCKLIST|${SERVICE_BLOCKLIST}|g' |\
sed -e 's|DOMAIN_ALLOWLIST|${DOMAIN_ALLOWLIST}|g' |\
- sed -e 's|JWKS_URI|${JWKS_URI}|g' |\
sed -e 's|CORS_ALLOW_ORIGINS|${CORS_ALLOW_ORIGINS}|g' |\
sed -e 's|CORS_ALLOW_METHODS|${CORS_ALLOW_METHODS}|g' |\
sed -e 's|CORS_ALLOW_HEADERS|${CORS_ALLOW_HEADERS}|g' > config/default/manager_args_patch.yaml
diff --git a/README.md b/README.md
index 7190310f0..ba681175d 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Api-Gateway Controller
+# API-Gateway Controller
## Overview
@@ -20,7 +20,7 @@ Deploys the officially released Controller version to the cluster
- ensure the access to a Kubernetes cluster is configured in `~/.kube/config`
- `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
- `make deploy` to deploy controller
### Run the controller locally
@@ -29,8 +29,8 @@ This procedure is the fastest way to run the Controller, useful for development
- start Minikube or ensure the access to a Kubernetes cluster is configured in `~/.kube/config`
- `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
-- `go run main.go --jwks-uri="$JWKS_URI" --oathkeeper-svc-address="$OATHKEEPER_SVC_ADDRESS" --oathkeeper-svc-port=$OATHKEEPER_SVC_PORT --domain-allowlist=$DOMAIN_ALLOWLIST`
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
+- `go run main.go --oathkeeper-svc-address="$OATHKEEPER_SVC_ADDRESS" --oathkeeper-svc-port=$OATHKEEPER_SVC_PORT --domain-allowlist=$DOMAIN_ALLOWLIST`
### Deploy a custom Controller build to the local Minikube cluster
@@ -41,7 +41,7 @@ This procedure is useful to test your own Controller build end-to-end in a local
- `eval $(minikube docker-env)`
- `make build-image` to put the docker image inside running Minikube
- `make install` to install necessary Custom Resource Definitions
-- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT`, `JWKS_URI` and `DOMAIN_ALLOWLIST` variables
+- export `OATHKEEPER_SVC_ADDRESS`, `OATHKEEPER_SVC_PORT` and `DOMAIN_ALLOWLIST` variables
- `make deploy-dev` to deploy controller
### Use command-line flags
@@ -51,7 +51,6 @@ This procedure is useful to test your own Controller build end-to-end in a local
| **oathkeeper-svc-address** | YES | Ory oathkeeper-proxy service address. | `ory-oathkeeper-proxy.kyma-system.svc.cluster.local` |
| **oathkeeper-svc-port** | YES | Ory oathkeeper-proxy service port. | `4455` |
| **metrics-addr** | NO | The address the metric endpoint binds to. | `:8080` |
-| **jwks-uri** | YES | Default jwksUri in the Policy. | any string |
| **enable-leader-election** | YES | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | any string |
| **service-blocklist** | NO | List of services to be blocklisted. | `kubernetes.default`
`kube-dns.kube-system` |
| **domain-allowlist** | NO | List of domains that can be exposed. All domains are allowed if empty | `kyma.local`
`foo.bar` |
@@ -106,8 +105,8 @@ This table lists all the possible parameters of a given resource together with t
| **spec.service.name**, **spec.service.port** | **NO** | Specifies the name and the communication port of the exposed service. |
| **spec.service.host** | **NO** | Specifies the service's communication address for inbound external traffic. If only the leftmost label is provided, the default domain name will be used. |
| **spec.rules** | **YES** | Specifies array of rules. |
-| **spec.rules.service.name** | **NO** | Specifies service name for the path. The services overrites the one on spec.service. |
-| **spec.rules.service.port** | **NO** | Specifies service port for the path. The services overrites the one on spec.service. |
+| **spec.rules.service.name** | **NO** | Specifies service name for the path. The services overrides the one on spec.service. |
+| **spec.rules.service.port** | **NO** | Specifies service port for the path. The services overrides the one on spec.service. |
| **spec.rules.path** | **YES** | Specifies the path of the exposed service. |
| **spec.rules.methods** | **YES** | Specifies the list of HTTP request methods available for **spec.rules.path**. |
| **spec.rules.mutators** | **NO** | Specifies array of [Oathkeeper mutators](https://www.ory.sh/docs/oathkeeper/pipeline/mutator). |
diff --git a/config/default/manager_args_patch.yaml b/config/default/manager_args_patch.yaml
index 3df8f8109..f00cdf0dc 100644
--- a/config/default/manager_args_patch.yaml
+++ b/config/default/manager_args_patch.yaml
@@ -11,7 +11,6 @@ spec:
args:
- --oathkeeper-svc-address=change-me
- --oathkeeper-svc-port=change-me
- - --jwks-uri=change-me
- --service-blocklist=kubernetes.default,service.namespace
- --domain-allowlist=kyma.local
- --cors-allow-origins=regex:.*
diff --git a/config/default/manager_args_patch.yaml.tmpl b/config/default/manager_args_patch.yaml.tmpl
index 117ce37a0..df3a181f2 100644
--- a/config/default/manager_args_patch.yaml.tmpl
+++ b/config/default/manager_args_patch.yaml.tmpl
@@ -11,7 +11,6 @@ spec:
args:
- --oathkeeper-svc-address=OATHKEEPER_SVC_ADDRESS
- --oathkeeper-svc-port=OATHKEEPER_SVC_PORT
- - --jwks-uri=JWKS_URI
- --service-blocklist=SERVICE_BLOCKLIST
- --domain-allowlist=DOMAIN_ALLOWLIST
- --cors-allow-origins=CORS_ALLOW_ORIGINS
diff --git a/controllers/apirule_controller.go b/controllers/apirule_controller.go
index 9873bd0a2..a044e3a89 100644
--- a/controllers/apirule_controller.go
+++ b/controllers/apirule_controller.go
@@ -43,7 +43,6 @@ type APIRuleReconciler struct {
Log logr.Logger
OathkeeperSvc string
OathkeeperSvcPort uint32
- JWKSURI string
CorsConfig *processing.CorsConfig
GeneratedObjectsLabels map[string]string
ServiceBlockList map[string][]string
@@ -103,7 +102,7 @@ func (r *APIRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
}
//2) Compute list of required objects (the set of objects required to satisfy our contract on apiRule.Spec, not yet applied)
- factory := processing.NewFactory(r.Client, r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.JWKSURI, r.CorsConfig, r.GeneratedObjectsLabels, r.DefaultDomainName)
+ factory := processing.NewFactory(r.Client, r.Log, r.OathkeeperSvc, r.OathkeeperSvcPort, r.CorsConfig, r.GeneratedObjectsLabels, r.DefaultDomainName)
requiredObjects := factory.CalculateRequiredState(api)
//3.1 Fetch all existing objects related to _this_ apiRule from the cluster (VS, Rules)
diff --git a/internal/processing/processing.go b/internal/processing/processing.go
index 7efd985ea..a8173e20a 100644
--- a/internal/processing/processing.go
+++ b/internal/processing/processing.go
@@ -28,20 +28,18 @@ type Factory struct {
Log logr.Logger
oathkeeperSvc string
oathkeeperSvcPort uint32
- JWKSURI string
corsConfig *CorsConfig
additionalLabels map[string]string
defaultDomainName string
}
//NewFactory .
-func NewFactory(client client.Client, logger logr.Logger, oathkeeperSvc string, oathkeeperSvcPort uint32, jwksURI string, corsConfig *CorsConfig, additionalLabels map[string]string, defaultDomainName string) *Factory {
+func NewFactory(client client.Client, logger logr.Logger, oathkeeperSvc string, oathkeeperSvcPort uint32, corsConfig *CorsConfig, additionalLabels map[string]string, defaultDomainName string) *Factory {
return &Factory{
client: client,
Log: logger,
oathkeeperSvc: oathkeeperSvc,
oathkeeperSvcPort: oathkeeperSvcPort,
- JWKSURI: jwksURI,
corsConfig: corsConfig,
additionalLabels: additionalLabels,
defaultDomainName: defaultDomainName,
diff --git a/internal/processing/processing_test.go b/internal/processing/processing_test.go
index 1d3c9259f..1cc617e48 100644
--- a/internal/processing/processing_test.go
+++ b/internal/processing/processing_test.go
@@ -84,7 +84,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -144,7 +144,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -184,7 +184,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -248,7 +248,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -391,7 +391,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -511,7 +511,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
apiRule.Spec.Host = &serviceHostWithNoDomain
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
vs := desiredState.virtualService
@@ -550,7 +550,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
expectedNoopRuleMatchURL := fmt.Sprintf("://%s<%s>", serviceHost, apiPath)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
actualState := &State{}
@@ -597,7 +597,7 @@ var _ = Describe("Factory", func() {
apiRule := getAPIRuleFor(rules)
- f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, "https://example.com/.well-known/jwks.json", testCors, testAdditionalLabels, defaultDomain)
+ f := NewFactory(nil, ctrl.Log.WithName("test"), oathkeeperSvc, oathkeeperSvcPort, testCors, testAdditionalLabels, defaultDomain)
desiredState := f.CalculateRequiredState(apiRule)
oauthNoopRuleMatchURL := fmt.Sprintf("://%s<%s>", serviceHost, oauthAPIPath)
diff --git a/main.go b/main.go
index e93bc903d..bfb491c3e 100644
--- a/main.go
+++ b/main.go
@@ -75,7 +75,6 @@ func main() {
var metricsAddr string
var healthProbeAddr string
var enableLeaderElection bool
- var jwksURI string
var oathkeeperSvcAddr string
var oathkeeperSvcPort uint
var blockListedServices string
@@ -90,7 +89,6 @@ func main() {
flag.UintVar(&oathkeeperSvcPort, "oathkeeper-svc-port", 0, "Oathkeeper proxy service port")
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&healthProbeAddr, "health-probe-addr", ":8081", "The address the health probe endpoint binds to.")
- flag.StringVar(&jwksURI, "jwks-uri", "", "URL of the provider's public key set to validate signature of the JWT")
flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
flag.StringVar(&blockListedServices, "service-blocklist", "kubernetes.default,kube-dns.kube-system", "List of services to be blocklisted from exposure.")
@@ -105,10 +103,6 @@ func main() {
ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
- if jwksURI == "" {
- setupLog.Error(fmt.Errorf("jwks-uri required, but not supplied"), "unable to create controller", "controller", "Api")
- os.Exit(1)
- }
if oathkeeperSvcAddr == "" {
setupLog.Error(fmt.Errorf("oathkeeper-svc-address can't be empty"), "unable to create controller", "controller", "Api")
os.Exit(1)
@@ -165,7 +159,6 @@ func main() {
Log: ctrl.Log.WithName("controllers").WithName("Api"),
OathkeeperSvc: oathkeeperSvcAddr,
OathkeeperSvcPort: uint32(oathkeeperSvcPort),
- JWKSURI: jwksURI,
ServiceBlockList: getNamespaceServiceMap(blockListedServices),
DomainAllowList: getList(allowListedDomains),
HostBlockList: getHostBlockListFrom(blockListedSubdomains, domainName),