Skip to content
This repository has been archived by the owner on Nov 8, 2022. It is now read-only.

Commit

Permalink
RLP user guides (#147)
Browse files Browse the repository at this point in the history 
* fix httproute authorization annotation feature

* new demo: updating the ratelimitpolicy targetref

* small doc fixes

* demo: authenticated rate limit

* fix doc rate limit authenticated
  • Loading branch information
@eguzki
eguzki authored Apr 27, 2022
1 parent 5017cc5 commit fa2b529
Show file tree
Hide file tree
Showing 4 changed files with 323 additions and 3 deletions.
17 changes: 16 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
* [Overview](#overview)
* [CustomResourceDefinitions](#customresourcedefinitions)
* [Getting started](#getting-started)
* [Demos](#demos)
* [Updating the RateLimitPolicy `targetRef` attribute](/doc/demo-rlp-update-targetref.md)
* [Authenticated rate limiting](/doc/demo-rlp-authenticated.md)
* [Contributing](#contributing)
* [Licensing](#licensing)

Expand Down Expand Up @@ -240,7 +243,7 @@ To verify creation:
```
kubectl get authorizationpolicy -A
NAMESPACE NAME AGE
kuadrant-system on-kuadrant-gwapi-gateway-using-hr-toystore 3m36s
kuadrant-system on-kuadrant-gwapi-gateway-using-toystore-custom 81s
```

9.- Verify authentication
Expand All @@ -257,6 +260,18 @@ Should return `200 OK`
curl -v -H 'Host: api.toystore.com' -H 'Authorization: APIKEY ALICEKEYFORDEMO' -X POST http://localhost:9080/admin/toy
```

## Demos

### [Updating the RateLimitPolicy `targetRef` attribute](/doc/demo-rlp-update-targetref.md)

This demo shows how the kuadrant's controller applies the rate limit policy to the new HTTPRoute
object and cleans up rate limit configuration to the HTTPRoute object no longer referenced by the policy.

### [Authenticated rate limiting](/doc/demo-rlp-authenticated.md)

This demo shows how to configure rate limiting after authentication stage and rate limit configuration
is per API key basis.

## Contributing

The [Development guide](doc/development.md) describes how to build the kuadrant controller and
Expand Down
4 changes: 2 additions & 2 deletions controllers/apim/httproute_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func (r *HTTPRouteReconciler) Reconcile(eventCtx context.Context, req ctrl.Reque
gwName := string(parentRef.Name)

authPolicy := &istiosecurityv1beta1.AuthorizationPolicy{}
authPolicy.SetName(getAuthPolicyName(gwName, httproute.Name, "")) // TODO(rahul): need to do something about this controller
authPolicy.SetName(getAuthPolicyName(gwName, httproute.Name, "custom")) // TODO(rahul): need to do something about this controller
authPolicy.SetNamespace(gwNamespace)
common.TagObjectToDelete(authPolicy)
err := r.ReconcileResource(ctx, &istiosecurityv1beta1.AuthorizationPolicy{}, authPolicy, nil)
Expand Down Expand Up @@ -161,7 +161,7 @@ func (r *HTTPRouteReconciler) reconcileAuthPolicy(ctx context.Context, logger lo

authPolicy := istiosecurityv1beta1.AuthorizationPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: getAuthPolicyName(gwName, hr.Name, ""),
Name: getAuthPolicyName(gwName, hr.Name, "custom"),
Namespace: gwNamespace,
},
Spec: authPolicySpec,
Expand Down
150 changes: 150 additions & 0 deletions doc/demo-rlp-authenticated.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
## Authenticated rate limiting

This demo shows how to configure rate limiting after authentication stage and rate limit configuration
is per API key basis.

### Steps

Create local cluster and deploy kuadrant

```
make local-setup
```

Deploy toystore example deployment

```
kubectl apply -f examples/toystore/toystore.yaml
```

Create `toystore` HTTPRoute to configure routing to the toystore service

```yaml
kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: toystore
labels:
app: toystore
spec:
parentRefs:
- name: kuadrant-gwapi-gateway
namespace: kuadrant-system
hostnames: ["*.toystore.com"]
rules:
- matches:
- path:
type: PathPrefix
value: "/toy"
method: GET
backendRefs:
- name: toystore
port: 80

EOF
```

Check `toystore` HTTPRoute works

```
curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
```

Annotate HTTPRoute with Kuadrant auth provider to create AuthorizationPolicy

```
kubectl annotate httproute/toystore kuadrant.io/auth-provider=kuadrant-authorization
```

Create Authorino's AuthConfig and API key secrets

```yaml
kubectl apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
name: simple-api-protection
spec:
hosts:
- api.toystore.com
identity:
- name: friends
apiKey:
labelSelectors:
api: toystore
credentials:
in: authorization_header
keySelector: APIKEY
---
apiVersion: v1
kind: Secret
metadata:
name: key-a
labels:
authorino.kuadrant.io/managed-by: authorino
api: toystore
stringData:
api_key: KEY-A
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: key-b
labels:
authorino.kuadrant.io/managed-by: authorino
api: toystore
stringData:
api_key: KEY-B
type: Opaque
EOF
```
Check `toystore` HTTPRoute requires API key

```
curl -v -H 'Authorization: APIKEY KEY-A' -H 'Host: api.toystore.com' http://localhost:9080/toy
```

Add rate limit policy to protect per API key basis


```yaml
kubectl apply -f -<<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
name: toystore
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
rateLimits:
- stage: POSTAUTH
actions:
- request_headers:
descriptor_key: key
header_name: "Authorization"
skip_if_absent: true
domain: toystore-app
limits:
- conditions: []
max_value: 2
namespace: toystore-app
seconds: 30
variables: ["key"]
EOF
```

Check the authenticated rate limit policy works: 2 requests every 30 secs.

```
curl -v -H 'Authorization: APIKEY KEY-A' -H 'Host: api.toystore.com' http://localhost:9080/toy
```

```
curl -v -H 'Authorization: APIKEY KEY-B' -H 'Host: api.toystore.com' http://localhost:9080/toy
```
155 changes: 155 additions & 0 deletions doc/demo-rlp-update-targetref.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
## Updating the RateLimitPolicy `targetRef` attribute

This demo shows how the kuadrant's controller applies the rate limit policy to the new HTTPRoute
object and cleans up rate limit configuration to the HTTPRoute object no longer referenced by the policy.

### Steps

Create local cluster and deploy kuadrant

```
make local-setup
```

Deploy toystore example deployment

```
kubectl apply -f examples/toystore/toystore.yaml
```

Create `toystore` HTTPRoute to configure routing to the toystore service

```yaml
kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: toystore
labels:
app: toystore
spec:
parentRefs:
- name: kuadrant-gwapi-gateway
namespace: kuadrant-system
hostnames: ["*.toystore.com"]
rules:
- matches:
- path:
type: PathPrefix
value: "/toy"
method: GET
backendRefs:
- name: toystore
port: 80

EOF
```

Check `toystore` HTTPRoute works

```
curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
```

![](https://i.imgur.com/ykv86hV.png)

Rate limit `toystore` HTTPRoute

```yaml
kubectl apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
name: toystore
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
rateLimits:
- stage: PREAUTH
actions:
- generic_key:
descriptor_key: vhaction
descriptor_value: "yes"
domain: toystore-app
limits:
- conditions: ["vhaction == yes"]
max_value: 2
namespace: toystore-app
seconds: 5
variables: []
EOF
```

Check the rate limit policy works: 2 requests every 5 secs.

```
curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
```

Add a second HTTPRoute: `carstore`

![](https://i.imgur.com/ruabBi3.png)

```yaml
kubectl apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: carstore
labels:
app: carstore
spec:
parentRefs:
- name: kuadrant-gwapi-gateway
namespace: kuadrant-system
hostnames: ["api.carstore.com"]
rules:
- matches:
- path:
type: PathPrefix
value: "/car"
method: GET
backendRefs:
- name: toystore
port: 80
EOF
```

Check `carstore` HTTPRoute works

```
curl -v -H 'Host: api.carstore.com' http://localhost:9080/car
```

Update RLP `targetRef` to the new HTTPRoute `carstore`

![](https://i.imgur.com/eu30Mry.png)

```
k edit ratelimitpolicy toystore
```

Check `toystore` HTTPRoute is no longer rate limited

```
curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
```

Check `carstore` HTTPRoute is rate limited

```
curl -v -H 'Host: api.carstore.com' http://localhost:9080/car
```

Remove the rate limit policy

```
k delete ratelimitpolicy toystore
```

Check `toystore` and `carstore` HTTPRoutes are no longer rate limited

0 comments on commit fa2b529

Please sign in to comment.