Added auth policy for app-validator, app-event-service and source ada…

…pter (#7349)

* Added auth policy for validator and source adapter

Added http-usermetric for HTTPSourceAdapter policy

* Removed policy

* Removing host header for all requests to event-service

* Fine tuned RBAC

* Retaining policy for non strict mode

* Refactored as per review comments

* Parameterized serviceaccount for core-console-backend-service

* Fixed auth policy

* Changed delete to req.del

* Fixed validator tests

* Update components/application-operator/README.md

Co-Authored-By: Barbara Szwarc <barbara.m.szwarc@gmail.com>

* Fixes related to PR comments

* Fixes related to rebase issues

* Fixed readme

Co-authored-by: Barbara Szwarc <barbara.m.szwarc@gmail.com>

components/application-connectivity-validator/internal/validationproxy/handler.go

@@ -81,9 +81,9 @@ func NewProxyHandler(
 		appRegistryPathPrefix:    appRegistryPathPrefix,
 		appRegistryHost:          appRegistryHost,
 
-		eventsProxy:      createReverseProxy(eventServiceHost),
-		eventMeshProxy:   createReverseProxy(eventMeshHost, withRewriteBaseURL("/"), withEnforceURLHost),
-		appRegistryProxy: createReverseProxy(appRegistryHost),
+		eventsProxy:      createReverseProxy(eventServiceHost, withEmptyRequestHost, withEmptyXFwdClientCert, withHTTPScheme),
+		eventMeshProxy:   createReverseProxy(eventMeshHost, withRewriteBaseURL("/"), withEmptyRequestHost, withEmptyXFwdClientCert, withHTTPScheme),
+		appRegistryProxy: createReverseProxy(appRegistryHost, withEmptyRequestHost, withHTTPScheme),
 
 		applicationGetter: applicationGetter,
 		cache:             cache,
@@ -293,9 +293,7 @@ func extractSubject(subject string) map[string]string {
 func createReverseProxy(destinationHost string, reqOpts ...requestOption) *httputil.ReverseProxy {
 	return &httputil.ReverseProxy{
 		Director: func(request *http.Request) {
-			request.URL.Scheme = "http"
 			request.URL.Host = destinationHost
-
 			for _, opt := range reqOpts {
 				opt(request)
 			}
@@ -318,8 +316,18 @@ func withRewriteBaseURL(path string) requestOption {
 	}
 }
 
-// withEnforceURLHost enforces the Request's Host field to be empty to ensure
+// withEmptyRequestHost clears the Request's Host field to ensure
 // the 'Host' HTTP header is set to the host name defined in the Request's URL.
-func withEnforceURLHost(req *http.Request) {
+func withEmptyRequestHost(req *http.Request) {
 	req.Host = ""
 }
+
+// withHTTPScheme sets the URL scheme to HTTP
+func withHTTPScheme(req *http.Request) {
+	req.URL.Scheme = "http"
+}
+
+// withEmptyXFwdClientCert clears the value of X-Forwarded-Client-Cert header
+func withEmptyXFwdClientCert(req *http.Request) {
+	req.Header.Del("X-Forwarded-Client-Cert")
+}

components/application-operator/README.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-The Application Operator (AO) can work in two modes. 
+The Application Operator (AO) can work in two modes.
 By default, it detects changes in [Application](../../docs/application-connector/06-01-application.md) custom resources and acts accordingly. In this mode, Application Gateway is created for each Application.
 In the alternative mode, it detects changes in [ServiceInstance](../../docs/service-catalog/03-01-resources.md) custom resources and acts accordingly. In this mode, Application Gateway is created per Namespace.
 
@@ -16,7 +16,7 @@ In the default Gateway-per-Application mode:
  - Application created - the AO installs the Helm chart that contains all the necessary Kubernetes resources required for the Application to work.
  - Application updated - the AO updates the Status of the Application Helm Release.
  - Application deleted - the AO deletes Helm chart corresponding to the given Application.
- 
+
 <!--- when gatewayOncePerNamespace=true -->
 In the Gateway-per-Namespace mode:
  - First ServiceInstance created in a given Namespace - the AO installs the Helm chart that contains all the necessary Kubernetes resources required for the Application Gateway to work.
@@ -41,7 +41,7 @@ The Application Operator has the following parameters:
  - **eventServiceTestsImage** is the Event Service Tests image version to use in the Application chart.
  - **applicationConnectivityValidatorImage** is the Application Connectivity Validator image version to use in the Application chart.
  - **gatewayOncePerNamespace** is a flag that specifies whether Application Gateway should be deployed once per Namespace based on ServiceInstance or for every Application. The default value is `false`.
-
+ - **strictMode** is a toggle used to enable or disable Istio authorization policy for validator and HTTP source adapter. The default value is `disabled`.
 ## Testing on a local deployment
 
 When you develop the Application Connector components, you can test the changes you introduced on a local Kyma deployment before you push them to a production cluster.

components/application-operator/charts/application/templates/authorization-policy.yaml

@@ -0,0 +1,123 @@
+{{- if eq .Values.global.strictMode "enabled" }}
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-connectivity-validator
+  labels:
+    app: {{ .Release.Name }}-connectivity-validator
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-connectivity-validator
+  rules:
+    - from:
+        - source:
+            principals:
+             - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+      to:
+        - operation:
+            methods:
+              - POST
+            paths:
+              - /{{ .Release.Name }}/v1/events
+              - /{{ .Release.Name }}/v2/events
+              - /{{ .Release.Name }}/events
+        - operation:
+            methods:
+              - GET
+              - PUT
+              - POST
+              - DELETE
+            paths:
+              - /{{ .Release.Name }}/v1/metadata*
+    - from:
+      - source:
+          principals:
+          - cluster.local/ns/kyma-system/sa/{{ .Values.authorizationPolicy.serviceAccount.consoleBackendService }}
+      to:
+      - operation:
+          methods:
+          - GET
+          paths:
+          - /v1/health
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-event-service
+  labels:
+    app: {{ .Release.Name }}-event-service
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-event-service
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/kyma-integration/sa/{{ .Release.Name }}-connectivity-validator
+              - cluster.local/ns/kyma-integration/sa/{{ .Release.Name }}-event-service-acceptance
+      to:
+        - operation:
+            methods:
+              - POST
+            paths:
+              - /{{ .Release.Name }}/v1/events
+              - /{{ .Release.Name }}/v2/events
+        - operation:
+            methods:
+              - GET
+            paths:
+              - /{{ .Release.Name }}/v1/events/subscribed
+              - /v1/health
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/kyma-system/sa/{{ .Values.authorizationPolicy.serviceAccount.consoleBackendService }}
+      to:
+      - operation:
+          methods:
+            - GET
+          paths:
+            - /v1/health
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-event-service
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  labels:
+    app: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  name: {{ .Release.Name }}-http-source
+  namespace: kyma-integration
+spec:
+  rules:
+    - from:
+      - source:
+          principals:
+          - cluster.local/ns/knative-serving/sa/controller
+      to:
+        - operation:
+            methods:
+              - POST
+              - GET
+            paths:
+              - /*
+    - to:
+        - operation:
+            methods:
+              - GET
+            paths:
+              - /metrics
+  selector:
+    matchLabels:
+      serving.knative.dev/service: {{ .Release.Name }}
+{{- end }}

components/application-operator/charts/application/templates/role-binding.yaml

@@ -89,9 +89,13 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 rules:
-- apiGroups: ["*"]
-  resources: ["namespaces", "subscriptions", "triggers"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["eventing.knative.dev"]
+  resources: ["triggers"]
   verbs: ["get", "list", "watch"]
+
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -109,3 +113,33 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ .Release.Name }}-event-service
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}-connectivity-validator
+  labels:
+    app: {{ .Release.Name }}-connectivity-validator
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups: ["applicationconnector.kyma-project.io"]
+    resources: ["applications"]
+    verbs: ["get", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}-connectivity-validator
+  labels:
+    app: {{ .Release.Name }}-connectivity-validator
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+subjects:
+  - kind: User
+    name: system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-connectivity-validator
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-connectivity-validator

components/application-operator/charts/application/templates/service-account.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-connectivity-validator
+  labels:
+    app: {{ .Release.Name }}-connectivity-validator
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}

components/application-operator/charts/application/templates/validator.yaml

@@ -25,6 +25,7 @@ spec:
         kyma-project.io/dashboard: event-mesh
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ .Release.Name }}-connectivity-validator
       containers:
         - name: {{ .Release.Name }}-connectivity-validator
           image: {{ .Values.global.applicationConnectivityValidatorImage }}

components/application-operator/charts/application/values.yaml

@@ -34,6 +34,10 @@ acceptanceTest:
   image:
     pullPolicy: IfNotPresent
 
+# core-console-backend-service is a ServiceAccount which is installed as a part of *core* chart
+authorizationPolicy:
+  serviceAccount:
+    consoleBackendService: core-console-backend-service
 eventService:
   deployment:
     labels:

components/application-operator/cmd/manager/manager.go

@@ -143,6 +143,7 @@ func newApplicationReleaseManager(options *options, cfg *rest.Config, helmClient
 		EventServiceTestsImage:                options.eventServiceTestsImage,
 		ApplicationConnectivityValidatorImage: options.applicationConnectivityValidatorImage,
 		GatewayOncePerNamespace:               options.gatewayOncePerNamespace,
+		StrictMode:                            options.strictMode,
 	}
 
 	appClient, err := versioned.NewForConfig(cfg)

components/application-operator/cmd/manager/options.go

@@ -22,6 +22,7 @@ type options struct {
 	eventServiceTestsImage                string
 	applicationConnectivityValidatorImage string
 	gatewayOncePerNamespace               bool
+	strictMode                            string
 }
 
 func parseArgs() *options {
@@ -40,8 +41,8 @@ func parseArgs() *options {
 	eventServiceImage := flag.String("eventServiceImage", "", "The image of the Event Service to use")
 	eventServiceTestsImage := flag.String("eventServiceTestsImage", "", "The image of the Event Service Tests to use")
 	applicationConnectivityValidatorImage := flag.String("applicationConnectivityValidatorImage", "", "The image of the Application Connectivity Validator to use")
-
 	gatewayOncePerNamespace := flag.Bool("gatewayOncePerNamespace", false, "Specifies if Gateway should be deployed once per Namespace based on ServiceInstance or for every Application")
+	strictMode := flag.String("strictMode", "disabled", "Toggles Istio authorization policy for Validator and HTTP source adapter")
 
 	flag.Parse()
 
@@ -61,16 +62,17 @@ func parseArgs() *options {
 		eventServiceTestsImage:                *eventServiceTestsImage,
 		applicationConnectivityValidatorImage: *applicationConnectivityValidatorImage,
 		gatewayOncePerNamespace:               *gatewayOncePerNamespace,
+		strictMode:                            *strictMode,
 	}
 }
 
 func (o *options) String() string {
 	return fmt.Sprintf("--appName=%s --domainName=%s --namespace=%s --tillerUrl=%s"+
 		"--helmTLSKeyFile=%s --helmTLSCertificateFile=%s --tillerTLSSkipVerify=%v --syncPeriod=%d --installationTimeout=%d "+
 		"--applicationGatewayImage=%s --applicationGatewayTestsImage=%s --eventServiceImage=%s --eventServiceTestsImage=%s"+
-		"--applicationConnectivityValidatorImage=%s --gatewayOncePerNamespace=%v",
+		"--applicationConnectivityValidatorImage=%s --gatewayOncePerNamespace=%v --strictMode=%s",
 		o.appName, o.domainName, o.namespace, o.tillerUrl,
 		o.helmTLSKeyFile, o.helmTLSCertificateFile, o.tillerTLSSkipVerify, o.syncPeriod, o.installationTimeout,
 		o.applicationGatewayImage, o.applicationGatewayTestsImage, o.eventServiceImage, o.eventServiceTestsImage,
-		o.applicationConnectivityValidatorImage, o.gatewayOncePerNamespace)
+		o.applicationConnectivityValidatorImage, o.gatewayOncePerNamespace, o.strictMode)
 }

components/application-operator/pkg/kymahelm/application/applicationreleasemanager_test.go

@@ -33,7 +33,8 @@ const (
     applicationConnectivityValidatorImage: 
     tenant: %s
     group: %s
-    deployGatewayOncePerNamespace: false`
+    deployGatewayOncePerNamespace: false
+    strictMode: `
 )
 
 var (

components/application-operator/pkg/kymahelm/application/overrides.go

@@ -10,7 +10,8 @@ const (
     applicationConnectivityValidatorImage: {{ .ApplicationConnectivityValidatorImage }}
     tenant: {{ .Tenant }}
     group: {{ .Group }}
-    deployGatewayOncePerNamespace: {{ .GatewayOncePerNamespace }}`
+    deployGatewayOncePerNamespace: {{ .GatewayOncePerNamespace }}
+    strictMode: {{ .StrictMode }}`
 )
 
 type OverridesData struct {
@@ -23,4 +24,5 @@ type OverridesData struct {
 	Tenant                                string
 	Group                                 string
 	GatewayOncePerNamespace               bool
+	StrictMode                            string
 }

components/event-sources/reconciler/httpsource/reconcile_test.go

@@ -66,6 +66,7 @@ const (
 	tRevision    = "varkes-foo"
 	tPolicy      = "varkes-foo-private"
 	tRevisionSvc = "varkes-foo-private"
+	tTargetPort  = "http-usermetric"
 
 	tMetricsDomain = "testing"
 )
@@ -553,6 +554,13 @@ func newPolicyWithSpec() *authv1alpha1.Policy {
 	policy.Spec = authenticationv1alpha1api.Policy{
 		Targets: []*authenticationv1alpha1api.TargetSelector{{
 			Name: tRevisionSvc,
+			Ports: []*authenticationv1alpha1api.PortSelector{
+				{
+					Port: &authenticationv1alpha1api.PortSelector_Name{
+						Name: tTargetPort,
+					},
+				},
+			},
 		}},
 		Peers: []*authenticationv1alpha1api.PeerAuthenticationMethod{{
 			Params: &authenticationv1alpha1api.PeerAuthenticationMethod_Mtls{