From f7e0947a09912252682f153e32ac7d973f0560a5 Mon Sep 17 00:00:00 2001
From: Jiaxin Shan <seedjeffwan@gmail.com>
Date: Tue, 25 Feb 2020 12:00:50 -0800
Subject: [PATCH] Remove envoyfilter in identity aware manifest and fix bugs
 (#944)

---
 aws/aws-istio-authz-adaptor/base/instance.yaml     |  2 +-
 .../base/kustomization.yaml                        |  2 +-
 aws/aws-istio-authz-adaptor/base/rule.yaml         |  2 +-
 kfdef/kfctl_aws_cognito.v1.0.0.yaml                | 14 +++-----------
 kfdef/kfctl_aws_cognito.yaml                       | 14 +++-----------
 kfdef/source/master/kfctl_aws_cognito.yaml         | 14 +++-----------
 tests/aws-aws-istio-authz-adaptor-base_test.go     |  6 +++---
 ...stio-authz-adaptor-overlays-application_test.go |  6 +++---
 8 files changed, 18 insertions(+), 42 deletions(-)

diff --git a/aws/aws-istio-authz-adaptor/base/instance.yaml b/aws/aws-istio-authz-adaptor/base/instance.yaml
index 8e251d8e741..6498c6a9c68 100644
--- a/aws/aws-istio-authz-adaptor/base/instance.yaml
+++ b/aws/aws-istio-authz-adaptor/base/instance.yaml
@@ -5,4 +5,4 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
\ No newline at end of file
+    key: request.headers["$(origin-header)"] | "unknown"
\ No newline at end of file
diff --git a/aws/aws-istio-authz-adaptor/base/kustomization.yaml b/aws/aws-istio-authz-adaptor/base/kustomization.yaml
index d8e524cc9a7..b78c0c9f047 100644
--- a/aws/aws-istio-authz-adaptor/base/kustomization.yaml
+++ b/aws/aws-istio-authz-adaptor/base/kustomization.yaml
@@ -21,7 +21,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters
diff --git a/aws/aws-istio-authz-adaptor/base/rule.yaml b/aws/aws-istio-authz-adaptor/base/rule.yaml
index e01898189c5..990473c0517 100644
--- a/aws/aws-istio-authz-adaptor/base/rule.yaml
+++ b/aws/aws-istio-authz-adaptor/base/rule.yaml
@@ -6,7 +6,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action
diff --git a/kfdef/kfctl_aws_cognito.v1.0.0.yaml b/kfdef/kfctl_aws_cognito.v1.0.0.yaml
index cb9718b6156..b1bb0778aad 100644
--- a/kfdef/kfctl_aws_cognito.v1.0.0.yaml
+++ b/kfdef/kfctl_aws_cognito.v1.0.0.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor
diff --git a/kfdef/kfctl_aws_cognito.yaml b/kfdef/kfctl_aws_cognito.yaml
index da35044f1fe..b0e3cee3067 100644
--- a/kfdef/kfctl_aws_cognito.yaml
+++ b/kfdef/kfctl_aws_cognito.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor
diff --git a/kfdef/source/master/kfctl_aws_cognito.yaml b/kfdef/source/master/kfctl_aws_cognito.yaml
index 3e4c6ff694f..ea333256f6d 100644
--- a/kfdef/source/master/kfctl_aws_cognito.yaml
+++ b/kfdef/source/master/kfctl_aws_cognito.yaml
@@ -36,14 +36,6 @@ spec:
         name: manifests
         path: istio/istio
     name: istio
-  - kustomizeConfig:
-      parameters:
-      - name: namespace
-        value: istio-system
-      repoRef:
-        name: manifests
-        path: istio/add-anonymous-user-filter
-    name: add-anonymous-user-filter
   - kustomizeConfig:
       repoRef:
         name: manifests
@@ -339,12 +331,12 @@ spec:
       overlays:
       - application
       parameters:
+      - name: namespace
+        value: istio-system
       - name: origin-header
-        value: x-amzn-oidc-header
+        value: x-amzn-oidc-data
       - name: custom-header
         value: kubeflow-userid
-      - name: istio-namespace
-        value: istio-system
       repoRef:
         name: manifests
         path: aws/aws-istio-authz-adaptor
diff --git a/tests/aws-aws-istio-authz-adaptor-base_test.go b/tests/aws-aws-istio-authz-adaptor-base_test.go
index 5cfb63a6de2..ca111b4771e 100644
--- a/tests/aws-aws-istio-authz-adaptor-base_test.go
+++ b/tests/aws-aws-istio-authz-adaptor-base_test.go
@@ -99,7 +99,7 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
+    key: request.headers["$(origin-header)"] | "unknown"
 `)
 	th.writeF("/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml", `
 apiVersion: config.istio.io/v1alpha2
@@ -110,7 +110,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action
@@ -158,7 +158,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters
diff --git a/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go b/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go
index 5535198c9ce..8369bb62629 100644
--- a/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go
+++ b/tests/aws-aws-istio-authz-adaptor-overlays-application_test.go
@@ -150,7 +150,7 @@ metadata:
 spec:
   template: authzadaptor
   params:
-    key: request.headers["x-amzn-oidc-data"] | "unknown"
+    key: request.headers["$(origin-header)"] | "unknown"
 `)
 	th.writeF("/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml", `
 apiVersion: config.istio.io/v1alpha2
@@ -161,7 +161,7 @@ spec:
   # restrict the rule to the ingress gateway proxy workload only
   match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway"
   actions:
-  - handler: authzadaptor-handler.$(namespace)
+  - handler: authzadaptor-handler.$(istio-namespace)
     instances: ["authzadaptor-instance"]
     # assign a name to the action
     name: action
@@ -209,7 +209,7 @@ configMapGenerator:
 generatorOptions:
   disableNameSuffixHash: true
 vars:
-- name: namespace
+- name: istio-namespace
   objref:
     kind: ConfigMap
     name: aws-authzadaptor-parameters