Remove envoyfilter in identity aware manifest and fix bugs (kubeflow#944

)
surajkota · Feb 25, 2020 · f7e0947 · f7e0947
1 parent a95de6b
commit f7e0947
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 42 deletions.
diff --git a/aws/aws-istio-authz-adaptor/base/instance.yaml b/aws/aws-istio-authz-adaptor/base/instance.yaml
@@ -5,4 +5,4 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
+    key: request.headers["$(origin-header)"] | "unknown"
diff --git a/aws/aws-istio-authz-adaptor/base/kustomization.yaml b/aws/aws-istio-authz-adaptor/base/kustomization.yaml
@@ -21,7 +21,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters

diff --git a/aws/aws-istio-authz-adaptor/base/rule.yaml b/aws/aws-istio-authz-adaptor/base/rule.yaml
@@ -6,7 +6,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action

diff --git a/kfdef/kfctl_aws_cognito.v1.0.0.yaml b/kfdef/kfctl_aws_cognito.v1.0.0.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor

diff --git a/kfdef/kfctl_aws_cognito.yaml b/kfdef/kfctl_aws_cognito.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor

diff --git a/kfdef/source/master/kfctl_aws_cognito.yaml b/kfdef/source/master/kfctl_aws_cognito.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor

diff --git a/tests/aws-aws-istio-authz-adaptor-base_test.go b/tests/aws-aws-istio-authz-adaptor-base_test.go
@@ -99,7 +99,7 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
+    key: request.headers["$(origin-header)"] | "unknown"
 `)
 	th.writeF("/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml", `
 apiVersion: config.istio.io/v1alpha2
@@ -110,7 +110,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action
@@ -158,7 +158,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters

diff --git a/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go b/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go
@@ -150,7 +150,7 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
+    key: request.headers["$(origin-header)"] | "unknown"
 `)
 	th.writeF("/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml", `
 apiVersion: config.istio.io/v1alpha2
@@ -161,7 +161,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action
@@ -209,7 +209,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters