-
Notifications
You must be signed in to change notification settings - Fork 28
/
authpolicy_controller.go
281 lines (235 loc) · 9.89 KB
/
authpolicy_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
package controllers
import (
"context"
"encoding/json"
"fmt"
"github.com/go-logr/logr"
authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
apierrors "k8s.io/apimachinery/pkg/api/errors"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
"github.com/kuadrant/kuadrant-operator/pkg/library/kuadrant"
"github.com/kuadrant/kuadrant-operator/pkg/library/mappers"
"github.com/kuadrant/kuadrant-operator/pkg/library/reconcilers"
)
const authPolicyFinalizer = "authpolicy.kuadrant.io/finalizer"
// AuthPolicyReconciler reconciles a AuthPolicy object
type AuthPolicyReconciler struct {
*reconcilers.BaseReconciler
TargetRefReconciler reconcilers.TargetRefReconciler
// AffectedPolicyMap tracks the affected policies to report their status.
AffectedPolicyMap *kuadrant.AffectedPolicyMap
}
//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/finalizers,verbs=update
//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=security.istio.io,resources=authorizationpolicies,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
func (r *AuthPolicyReconciler) Reconcile(eventCtx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := r.Logger().WithValues("AuthPolicy", req.NamespacedName)
logger.Info("Reconciling AuthPolicy")
ctx := logr.NewContext(eventCtx, logger)
// fetch the authpolicy
ap := &api.AuthPolicy{}
if err := r.Client().Get(ctx, req.NamespacedName, ap); err != nil {
if apierrors.IsNotFound(err) {
logger.Info("no AuthPolicy found")
return ctrl.Result{}, nil
}
logger.Error(err, "failed to get AuthPolicy")
return ctrl.Result{}, err
}
if logger.V(1).Enabled() {
jsonData, err := json.MarshalIndent(ap, "", " ")
if err != nil {
return ctrl.Result{}, err
}
logger.V(1).Info(string(jsonData))
}
markedForDeletion := ap.GetDeletionTimestamp() != nil
// fetch the target network object
targetNetworkObject, err := reconcilers.FetchTargetRefObject(ctx, r.Client(), ap.GetTargetRef(), ap.Namespace)
if err != nil {
if !markedForDeletion {
if apierrors.IsNotFound(err) {
logger.V(1).Info("Network object not found. Cleaning up")
delResErr := r.deleteResources(ctx, ap, nil)
if delResErr == nil {
delResErr = err
}
return r.reconcileStatus(ctx, ap, kuadrant.NewErrTargetNotFound(ap.Kind(), ap.GetTargetRef(), delResErr))
}
return ctrl.Result{}, err
}
targetNetworkObject = nil // we need the object set to nil when there's an error, otherwise deleting the resources (when marked for deletion) will panic
}
// handle authpolicy marked for deletion
if markedForDeletion {
if controllerutil.ContainsFinalizer(ap, authPolicyFinalizer) {
logger.V(1).Info("Handling removal of authpolicy object")
if err := r.deleteResources(ctx, ap, targetNetworkObject); err != nil {
return ctrl.Result{}, err
}
logger.Info("removing finalizer")
if err := r.RemoveFinalizer(ctx, ap, authPolicyFinalizer); err != nil {
return ctrl.Result{}, err
}
}
return ctrl.Result{}, nil
}
// add finalizer to the authpolicy
if !controllerutil.ContainsFinalizer(ap, authPolicyFinalizer) {
if err := r.AddFinalizer(ctx, ap, authPolicyFinalizer); client.IgnoreNotFound(err) != nil {
return ctrl.Result{Requeue: true}, err
}
}
// reconcile the authpolicy spec
specErr := r.reconcileResources(ctx, ap, targetNetworkObject)
// reconcile authpolicy status
statusResult, statusErr := r.reconcileStatus(ctx, ap, specErr)
if specErr != nil {
return ctrl.Result{}, specErr
}
if statusErr != nil {
return ctrl.Result{}, statusErr
}
if statusResult.Requeue {
logger.V(1).Info("Reconciling status not finished. Requeueing.")
return statusResult, nil
}
// trigger concurrent reconciliations of possibly affected gateway policies
switch route := targetNetworkObject.(type) {
case *gatewayapiv1.HTTPRoute:
if err := r.reconcileRouteParentGatewayPolicies(ctx, route); err != nil {
return ctrl.Result{}, err
}
}
logger.Info("AuthPolicy reconciled successfully")
return ctrl.Result{}, nil
}
// validate performs validation before proceeding with the reconcile loop, returning a common.ErrInvalid on any failing validation
func (r *AuthPolicyReconciler) validate(ap *api.AuthPolicy, targetNetworkObject client.Object) error {
if err := ap.Validate(); err != nil {
return kuadrant.NewErrInvalid(ap.Kind(), err)
}
if err := kuadrant.ValidateHierarchicalRules(ap, targetNetworkObject); err != nil {
return kuadrant.NewErrInvalid(ap.Kind(), err)
}
return nil
}
func (r *AuthPolicyReconciler) reconcileResources(ctx context.Context, ap *api.AuthPolicy, targetNetworkObject client.Object) error {
if err := r.validate(ap, targetNetworkObject); err != nil {
return err
}
// reconcile based on gateway diffs
gatewayDiffObj, err := reconcilers.ComputeGatewayDiffs(ctx, r.Client(), ap, targetNetworkObject)
if err != nil {
return err
}
if err := r.reconcileIstioAuthorizationPolicies(ctx, ap, targetNetworkObject, gatewayDiffObj); err != nil {
return fmt.Errorf("reconcile AuthorizationPolicy error %w", err)
}
if err := r.reconcileAuthConfigs(ctx, ap, targetNetworkObject); err != nil {
return fmt.Errorf("reconcile AuthConfig error %w", err)
}
// if the AuthPolicy(ap) targets a Gateway then all policies attached to that Gateway need to be checked.
// this is due to not knowing if the Gateway AuthPolicy was updated to include or remove the overrides section.
switch obj := targetNetworkObject.(type) {
case *gatewayapiv1.Gateway:
gw := kuadrant.GatewayWrapper{Gateway: obj, Referrer: ap}
apKey := client.ObjectKeyFromObject(ap)
for _, policyKey := range gw.PolicyRefs() {
if policyKey == apKey {
continue
}
ref := &api.AuthPolicy{}
err = r.Client().Get(ctx, policyKey, ref)
if err != nil {
return err
}
refNetworkObject, err := reconcilers.FetchTargetRefObject(ctx, r.Client(), ref.GetTargetRef(), ref.Namespace)
if err != nil {
return err
}
if err = r.reconcileAuthConfigs(ctx, ref, refNetworkObject); err != nil {
return err
}
}
}
// set direct back ref - i.e. claim the target network object as taken asap
if err := r.reconcileNetworkResourceDirectBackReference(ctx, ap, targetNetworkObject); err != nil {
return fmt.Errorf("reconcile TargetBackReference error %w", err)
}
// set annotation of policies affecting the gateway - should be the last step, only when all the reconciliation steps succeed
if err := r.TargetRefReconciler.ReconcileGatewayPolicyReferences(ctx, ap, gatewayDiffObj); err != nil {
return fmt.Errorf("ReconcileGatewayPolicyReferences error %w", err)
}
return nil
}
func (r *AuthPolicyReconciler) deleteResources(ctx context.Context, ap *api.AuthPolicy, targetNetworkObject client.Object) error {
// delete based on gateway diffs
gatewayDiffObj, err := reconcilers.ComputeGatewayDiffs(ctx, r.Client(), ap, targetNetworkObject)
if err != nil {
return err
}
if err := r.deleteIstioAuthorizationPolicies(ctx, ap, gatewayDiffObj); err != nil {
return err
}
// remove direct back ref
if targetNetworkObject != nil {
if err := r.deleteNetworkResourceDirectBackReference(ctx, targetNetworkObject, ap); err != nil {
return err
}
}
// update annotation of policies affecting the gateway
return r.TargetRefReconciler.ReconcileGatewayPolicyReferences(ctx, ap, gatewayDiffObj)
}
// Ensures only one RLP targets the network resource
func (r *AuthPolicyReconciler) reconcileNetworkResourceDirectBackReference(ctx context.Context, ap *api.AuthPolicy, targetNetworkObject client.Object) error {
return r.TargetRefReconciler.ReconcileTargetBackReference(ctx, ap, targetNetworkObject, ap.DirectReferenceAnnotationName())
}
func (r *AuthPolicyReconciler) deleteNetworkResourceDirectBackReference(ctx context.Context, targetNetworkObject client.Object, ap *api.AuthPolicy) error {
return r.TargetRefReconciler.DeleteTargetBackReference(ctx, targetNetworkObject, ap.DirectReferenceAnnotationName())
}
// reconcileRouteParentGatewayPolicies triggers the concurrent reconciliation of all policies that target gateways that are parents of a route
func (r *AuthPolicyReconciler) reconcileRouteParentGatewayPolicies(ctx context.Context, route *gatewayapiv1.HTTPRoute) error {
logger, err := logr.FromContext(ctx)
if err != nil {
return err
}
mapper := HTTPRouteParentRefsEventMapper{
Logger: logger,
Client: r.Client(),
}
requests := mapper.MapToAuthPolicy(route)
for i := range requests {
request := requests[i]
go r.Reconcile(context.Background(), request)
}
return nil
}
// SetupWithManager sets up the controller with the Manager.
func (r *AuthPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
httpRouteEventMapper := mappers.NewHTTPRouteEventMapper(mappers.WithLogger(r.Logger().WithName("httpRouteEventMapper")))
gatewayEventMapper := mappers.NewGatewayEventMapper(mappers.WithLogger(r.Logger().WithName("gatewayEventMapper")))
return ctrl.NewControllerManagedBy(mgr).
For(&api.AuthPolicy{}).
Owns(&authorinoapi.AuthConfig{}).
Watches(
&gatewayapiv1.HTTPRoute{},
handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, object client.Object) []reconcile.Request {
return httpRouteEventMapper.MapToPolicy(object, &api.AuthPolicy{})
}),
).
Watches(&gatewayapiv1.Gateway{},
handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, object client.Object) []reconcile.Request {
return gatewayEventMapper.MapToPolicy(object, &api.AuthPolicy{})
}),
).
Complete(r)
}