Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MVP] JWT Istio handler configuration - support for new APIRules #34

Closed
6 of 11 tasks
Tracked by #30
strekm opened this issue Sep 22, 2022 · 0 comments
Closed
6 of 11 tasks
Tracked by #30

[MVP] JWT Istio handler configuration - support for new APIRules #34

strekm opened this issue Sep 22, 2022 · 0 comments
Assignees
@werdes72 @videlov @triffer
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
1.2

Comments

@strekm
Copy link
Contributor

strekm commented Sep 22, 2022
edited by werdes72
Loading

Description

Implement changes in jwt access strategy handler based on Istio CRs. jwt access strategy should support both methods of handling: by creating ORY oathkeeper rule and by creating Istio RA and AP CRs. This version should support only creation of APIRule, transition between handlers is not supported. First version should be implemented as follows:

apiVersion: gateway.kyma-project.io/v1beta1
kind: APIRule
metadata:
  name: service-secured
spec:
  gateway: kyma-system/kyma-gateway
  host: foo.bar
  service:
    name: foo-service
    port: 8080
  rules:
    - path: /headers
      methods: ["GET"]
      mutators: []
      accessStrategies:
        - handler: jwt
          config:
            authentications:
            - issuer: ISSUER
              jwksUri: JWKSURI
            - xxx

config object will contain:

  • authentications - required array with at least one element

authentication object will contain:

  • issuer - required field (this field is not required for oathkeeper jwt handler)
  • jwksUri - required field (this field is required for oathkeeper jwt handler)

This configuration should create following resources:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: ISSUER
    jwksUri: JWKSURI

This configuration should create following AP:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/headers"]

If FT is disabled oathkeeper handler schema should be valid. If FT is enabled jwt handler schema should be valid.

ACs:

  • othkeeper implementation fully supported
  • istio implementation supported for defined fields
  • istio implementation only applied when feature toggle is enabled
  • jwt Istio based handler only supported for new APIRules (transition not supported)
  • jwt handler configuration is validated, errors are stored in Status

Reasons

Introducing JWT handler based on Istio.

Attachments

Depends on: #40
Part of: #30

DoD:

  • provide documentation
  • provide unit tests
  • test on SKR
  • verify Get started guides
  • verify resource limits
  • followup issue
@strekm strekm added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 22, 2022
@strekm strekm added this to the 1.2 milestone Sep 22, 2022
@strekm strekm mentioned this issue Sep 22, 2022
Closed
12 tasks
@strekm strekm changed the title MVP JWT Istio handle configuration [MVP] JWT Istio handler configuration Sep 26, 2022
@strekm strekm changed the title [MVP] JWT Istio handler configuration [MVP] JWT Istio handler configuration - support for new APIRules Sep 26, 2022
@strekm strekm mentioned this issue Sep 26, 2022
Closed
4 tasks
@werdes72 werdes72 assigned werdes72 and unassigned werdes72 Oct 5, 2022
@werdes72 werdes72 self-assigned this Oct 14, 2022
@werdes72 werdes72 mentioned this issue Oct 21, 2022
Merged
@werdes72 werdes72 removed their assignment Nov 3, 2022
@videlov videlov self-assigned this Nov 4, 2022
@barchw barchw mentioned this issue Nov 4, 2022
Closed
1 task
@videlov videlov assigned triffer, werdes72 and videlov and unassigned videlov Nov 4, 2022
@strekm strekm mentioned this issue Nov 9, 2022
Closed
4 tasks
@strekm strekm closed this as completed Nov 14, 2022
@videlov videlov mentioned this issue Dec 12, 2022
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@werdes72 werdes72

@videlov videlov

@triffer triffer

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
1.2
Development

No branches or pull requests
4 participants
@werdes72 @videlov @triffer @strekm