Skip to content

APIProduct controller: Discovered authscheme #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eguzki wants to merge 5 commits into
base: main
Choose a base branch
from
Open

APIProduct controller: Discovered authscheme #16

eguzki wants to merge 5 commits into from

Conversation

@eguzki
Copy link
Contributor

@eguzki eguzki commented Dec 9, 2025
edited
Loading

What

Requirement for Kuadrant/kuadrant-backstage-plugin#150

The AuthPolicyDiscovered condition is ok when there is an auth policy either targeting the targeted route or targeting any gateway parent of the targeted route.

Note: missing implementation for default&override semantics

Verification steps

dev setup

make kind-create-cluster
make install
make gateway-api-install
make kuadrant-core-install

Deploy apiproduct controller

make local-deploy

Create gateway and httproute

kubectl create ns gateway-system
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: gateway-system
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    hostname: "example.com"
    allowedRoutes:
      namespaces:
        from: All
EOF
kubectl create ns toystore
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
  namespace: toystore
spec:
  hostnames:
    - example.com
  parentRefs:
    - name: my-gateway
      namespace: gateway-system
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/"
      backendRefs:
        - name: toystore
          port: 80
EOF
cat <<EOF >route-status-patch.yaml
status:
  parents:
    - controllerName: istio.io/gateway-controller
      conditions:
        - lastTransitionTime: "2025-09-03T19:16:16Z"
          message: Route was valid
          observedGeneration: 1
          reason: Accepted
          status: "True"
          type: Accepted
      parentRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: my-gateway
        namespace: gateway-system
EOF
kubectl patch httproute my-route --type=merge --patch "$(cat route-status-patch.yaml)" --subresource status -n toystore
rm route-status-patch.yaml

Create authPolicy targeting the route

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: toystore-auth
  namespace: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-route
  rules:
    authentication:
      "api-key-users":
        apiKey:
          selector:
            matchLabels:
              app: toystore
        credentials:
          authorizationHeader:
            prefix: APIKEY
EOF

Create apiproduct

kubectl apply -f - <<EOF
apiVersion: devportal.kuadrant.io/v1alpha1
kind: APIProduct
metadata:
  name: toystore-api
  namespace: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-route
  displayName: Toystore API
  description: Manage toy inventory
  approvalMode: manual
  publishStatus: Published
EOF

Verify discovered authpolicy scheme in the status of the APIProduct object

kubectl get apiproduct toystore-api -o jsonpath='{.status}' -n toystore| yq e -P

The expected result is

conditions:
  - lastTransitionTime: "2025-12-09T14:39:46Z"
    message: PlanPolicy not found
    reason: NotFound
    status: "False"
    type: PlanPolicyDiscovered
  - lastTransitionTime: "2025-12-09T14:39:46Z"
    message: Discovered AuthPolicy toystore-auth targeting HTTPRoute my-route
    reason: Found
    status: "True"
    type: AuthPolicyDiscovered
  - lastTransitionTime: "2025-12-09T14:39:46Z"
    message: HTTPRoute toystore/my-route accepted
    reason: HTTPRouteAccepted
    status: "True"
    type: Ready
discoveredAuthScheme:
  authentication:
    api-key-users:
      apiKey:
        allNamespaces: false
        selector:
          matchLabels:
            app: toystore
      credentials:
        authorizationHeader:
          prefix: APIKEY
      metrics: false
      priority: 0
observedGeneration: 1

@eguzki eguzki changed the base branch from main to readme December 9, 2025 14:45
@eguzki eguzki mentioned this pull request Dec 9, 2025
Open
Base automatically changed from readme to main December 9, 2025 16:20
@eguzki
APIProduct controller: discover auth scheme
4637424 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki
add kuadrant v1 API to client scheme
d62078e 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki
fix tests
b397162 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki
APIProduct controller: discover auth scheme tests
54a28de 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki eguzki force-pushed the discovered-authscheme branch from c7e4982 to 54a28de Compare December 12, 2025 14:56
@eguzki eguzki marked this pull request as ready for review December 12, 2025 14:59
@eguzki
fix go.mod
6f31809 
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
@eguzki eguzki mentioned this pull request Dec 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonmadigan jasonmadigan Awaiting requested review from jasonmadigan

@Patryk-Stefanski Patryk-Stefanski Awaiting requested review from Patryk-Stefanski

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eguzki