apikey secrets suggestion in stderr

go.mod

@@ -4,6 +4,7 @@ go 1.21
 
 require (
 	github.com/getkin/kin-openapi v0.120.0
+	github.com/kuadrant/authorino v0.15.0
 	github.com/kuadrant/kuadrant-operator v0.4.1
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.10
@@ -16,6 +17,7 @@ require (
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.16.3
 	sigs.k8s.io/gateway-api v0.6.2
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -44,7 +46,6 @@ require (
 	github.com/invopop/yaml v0.2.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kuadrant/authorino v0.15.0 // indirect
 	github.com/kuadrant/authorino-operator v0.9.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
@@ -88,5 +89,4 @@ require (
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )

pkg/kuadrantapi/authpolicy.go

@@ -3,13 +3,16 @@ package kuadrantapi
 import (
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/getkin/kin-openapi/openapi3"
 	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
 	kuadrantapiv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	gatewayapiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/kuadrant/kuadrantctl/pkg/gatewayapi"
 	"github.com/kuadrant/kuadrantctl/pkg/utils"
@@ -217,6 +220,8 @@ func apiKeyAuthenticationSpec(basePath, path string, pathItem *openapi3.PathItem
 		credentials.Cookie = &authorinoapi.Named{Name: secScheme.Name}
 	}
 
+	printSecretSuggestion(basePath, path, verb, secSchemeName)
+
 	return kuadrantapiv1beta2.AuthenticationSpec{
 		CommonAuthRuleSpec: kuadrantapiv1beta2.CommonAuthRuleSpec{
 			RouteSelectors: buildAuthPolicyRouteSelectors(basePath, path, pathItem, verb, op, pathMatchType),
@@ -252,3 +257,36 @@ func openIDAuthenticationSpec(basePath, path string, pathItem *openapi3.PathItem
 		},
 	}
 }
+
+func printSecretSuggestion(basePath, path, verb, secSchemeName string) {
+	// remove the last slash of the Base Path
+	sanitizedBasePath := utils.LastSlashRegexp.ReplaceAllString(basePath, "")
+
+	//  According OAS 3.0: path MUST begin with a slash
+	matchPath := fmt.Sprintf("%s%s", sanitizedBasePath, path)
+	fmt.Fprintln(os.Stderr, "======================================================================================================")
+	fmt.Fprintf(os.Stderr, "%s %s endpoint is protected with ApiKey. Consider creating secrets with valid tokens\n", verb, matchPath)
+	fmt.Fprintln(os.Stderr, "---")
+
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Secret"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secSchemeName,
+			Labels: map[string]string{
+				"authorino.kuadrant.io/managed-by": "authorino",
+				APIKeySecretLabel:                  secSchemeName,
+			},
+		},
+		StringData: map[string]string{
+			"api_key": "MY_SECRET_TOKEN_VALUE",
+		},
+		Type: corev1.SecretTypeOpaque,
+	}
+
+	secretSerialized, err := yaml.Marshal(secret)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Fprintln(os.Stderr, string(secretSerialized))
+}