From e6f2f5357ede1d45bb4ba89f8aabb932c0fd41f7 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 22 Oct 2024 15:14:12 +0200 Subject: [PATCH 1/3] fix authorino deployment Signed-off-by: Eguzki Astiz Lezaun --- README.md | 2 +- make/deploy.mk | 71 +-- utils/deploy/envoy-tls.yaml | 502 ------------------ utils/deploy/{envoy-notls.yaml => envoy.yaml} | 4 +- utils/deploy/limitador.yaml | 57 -- utils/deploy/limits.yaml | 32 -- .../authorino-operator/delete-ns.yaml | 5 + .../authorino-operator/kustomization.yaml | 8 + utils/kustomize/authorino/authorino.yaml | 20 + utils/kustomize/authorino/kustomization.yaml | 6 + .../limitador-operator/delete-ns.yaml | 5 + .../limitador-operator/kustomization.yaml | 8 + utils/kustomize/limitador/kustomization.yaml | 6 + utils/kustomize/limitador/limitador.yaml | 37 ++ 14 files changed, 126 insertions(+), 637 deletions(-) delete mode 100644 utils/deploy/envoy-tls.yaml rename utils/deploy/{envoy-notls.yaml => envoy.yaml} (99%) delete mode 100644 utils/deploy/limitador.yaml delete mode 100644 utils/deploy/limits.yaml create mode 100644 utils/kustomize/authorino-operator/delete-ns.yaml create mode 100644 utils/kustomize/authorino-operator/kustomization.yaml create mode 100644 utils/kustomize/authorino/authorino.yaml create mode 100644 utils/kustomize/authorino/kustomization.yaml create mode 100644 utils/kustomize/limitador-operator/delete-ns.yaml create mode 100644 utils/kustomize/limitador-operator/kustomization.yaml create mode 100644 utils/kustomize/limitador/kustomization.yaml create mode 100644 utils/kustomize/limitador/limitador.yaml diff --git a/README.md b/README.md index 7983159f..f3cd9202 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ echo API as well as limitador, authorino, and some test policies are configured. To expose the envoy endpoint run the following: ```sh -kubectl port-forward --namespace default deployment/envoy 8000:8000 +kubectl port-forward --namespace kuadrant-system deployment/envoy 8000:8000 ``` There is then a single auth action set defined for e2e testing: diff --git a/make/deploy.mk b/make/deploy.mk index 1042d0eb..d741e242 100644 --- a/make/deploy.mk +++ b/make/deploy.mk @@ -2,6 +2,7 @@ .PHONY: kind kind-create-cluster kind-delete-cluster +NAMESPACE ?= kuadrant-system KIND = $(PROJECT_PATH)/bin/kind KIND_VERSION = v0.23.0 $(KIND): @@ -24,67 +25,49 @@ kind-create-cluster: kind ## Create the "wasm-auth-local" kind cluster. kind-delete-cluster: ## Delete the "wasm-auth-local" kind cluster. - KIND_EXPERIMENTAL_PROVIDER=$(CONTAINER_ENGINE) $(KIND) delete cluster --name $(KIND_CLUSTER_NAME) +KUSTOMIZE = $(PROJECT_PATH)/bin/kustomize +$(KUSTOMIZE): + $(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v4@v4.5.5) + +.PHONY: kustomize +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. ##@ Authorino -.PHONY: install-authorino-operator certs deploy-authorino - -AUTHORINO_IMAGE ?= quay.io/kuadrant/authorino:latest -AUTHORINO_OPERATOR_NAMESPACE ?= authorino-operator -install-authorino-operator: ## Installs Authorino Operator and dependencies into the Kubernetes cluster configured in ~/.kube/config - curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s -- --git-ref main - kubectl patch deployment/authorino-webhooks -n $(AUTHORINO_OPERATOR_NAMESPACE) -p '{"spec":{"template":{"spec":{"containers":[{"name":"webhooks","image":"$(AUTHORINO_IMAGE)","imagePullPolicy":"IfNotPresent"}]}}}}' - kubectl -n $(AUTHORINO_OPERATOR_NAMESPACE) wait --timeout=300s --for=condition=Available deployments --all - -TLS_ENABLED ?= true -AUTHORINO_INSTANCE ?= authorino -NAMESPACE ?= default -certs: sed ## Requests TLS certificates for the Authorino instance if TLS is enabled, cert-manager.io is installed, and the secret is not already present -ifeq (true,$(TLS_ENABLED)) -ifeq (,$(shell kubectl -n $(NAMESPACE) get secret/authorino-oidc-server-cert 2>/dev/null)) - curl -sl https://raw.githubusercontent.com/kuadrant/authorino/main/deploy/certs.yaml | $(SED) "s/\$$(AUTHORINO_INSTANCE)/$(AUTHORINO_INSTANCE)/g;s/\$$(NAMESPACE)/$(NAMESPACE)/g" | kubectl -n $(NAMESPACE) apply -f - -else - echo "tls cert secret found." -endif -else - echo "tls disabled." -endif +.PHONY: namespace +namespace: ## Creates a namespace $(NAMESPACE) + kubectl create namespace $(NAMESPACE) -deploy-authorino: certs sed ## Deploys an instance of Authorino into the Kubernetes cluster configured in ~/.kube/config - @{ \ - set -e ;\ - TEMP_FILE=/tmp/authorino-deploy-$$(openssl rand -hex 4).yaml ;\ - curl -sl https://raw.githubusercontent.com/kuadrant/authorino/main/deploy/authorino.yaml > $$TEMP_FILE ;\ - $(SED) -i "s/\$$(AUTHORINO_INSTANCE)/$(AUTHORINO_INSTANCE)/g;s/\$$(TLS_ENABLED)/$(TLS_ENABLED)/g" $$TEMP_FILE ;\ - kubectl -n $(NAMESPACE) apply -f $$TEMP_FILE ;\ - kubectl patch -n $(NAMESPACE) authorino/$(AUTHORINO_INSTANCE) --type='merge' -p '{"spec":{"image": "$(AUTHORINO_IMAGE)"}}' ;\ - rm -rf $$TEMP_FILE ;\ - } +.PHONY: install-authorino-operator +install-authorino-operator: $(KUSTOMIZE) ## Installs Authorino Operator and dependencies into the Kubernetes cluster configured in ~/.kube/config + $(KUSTOMIZE) build $(PROJECT_PATH)/utils/kustomize/authorino-operator | kubectl apply -f - + kubectl -n "$(NAMESPACE)" wait --timeout=300s --for=condition=Available deployments --all +.PHONY: deploy-authorino +deploy-authorino: $(KUSTOMIZE) ## Deploys an instance of Authorino into the Kubernetes cluster configured in ~/.kube/config + $(KUSTOMIZE) build $(PROJECT_PATH)/utils/kustomize/authorino | kubectl apply -f - + kubectl -n "$(NAMESPACE)" wait --timeout=300s --for=condition=Available deployments --all ##@ Limitador -deploy-limitador: - kubectl create configmap limits --from-file=$(PROJECT_PATH)/utils/deploy/limits.yaml - kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/limitador.yaml +.PHONY: install-limitador-operator +install-limitador-operator: $(KUSTOMIZE) ## Installs Limitador Operator and dependencies into the Kubernetes cluster configured in ~/.kube/config + $(KUSTOMIZE) build $(PROJECT_PATH)/utils/kustomize/limitador-operator | kubectl apply -f - + kubectl -n "$(NAMESPACE)" wait --timeout=300s --for=condition=Available deployments --all +.PHONY: deploy-limitador +deploy-limitador: + $(KUSTOMIZE) build $(PROJECT_PATH)/utils/kustomize/limitador | kubectl apply -f - ##@ User Apps .PHONY: user-apps - -ifeq (true,$(TLS_ENABLED)) -ENVOY_OVERLAY = tls -else -ENVOY_OVERLAY = notls -endif user-apps: ## Deploys talker API and envoy kubectl -n $(NAMESPACE) apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml - kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/envoy-$(ENVOY_OVERLAY).yaml + kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/envoy.yaml kubectl -n $(NAMESPACE) apply -f $(PROJECT_PATH)/utils/deploy/authconfig.yaml - ##@ Util .PHONY: local-setup local-env-setup local-cleanup local-rollout sed @@ -100,7 +83,9 @@ local-setup: local-env-setup local-env-setup: $(WASM_RELEASE_BIN) $(MAKE) kind-delete-cluster $(MAKE) kind-create-cluster + $(MAKE) namespace $(MAKE) install-authorino-operator + $(MAKE) install-limitador-operator $(MAKE) deploy-authorino $(MAKE) deploy-limitador $(MAKE) user-apps diff --git a/utils/deploy/envoy-tls.yaml b/utils/deploy/envoy-tls.yaml deleted file mode 100644 index 9fa8ab7c..00000000 --- a/utils/deploy/envoy-tls.yaml +++ /dev/null @@ -1,502 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: envoy - name: envoy -data: - envoy.yaml: | - static_resources: - clusters: - - name: authorino_wasm - connect_timeout: 1s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: { } - load_assignment: - cluster_name: authorino_wasm - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: authorino-authorino-authorization - port_value: 50051 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - validation_context: - trusted_ca: - filename: /etc/ssl/certs/authorino-ca-cert.crt - - name: limitador - connect_timeout: 1s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: { } - load_assignment: - cluster_name: limitador - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: limitador - port_value: 8081 - - name: talker-api - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: talker-api - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: talker-api - port_value: 3000 - - name: talker-web - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: talker-web - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: talker-web - port_value: 8888 - - name: opentelemetry - connect_timeout: 0.25s - type: STRICT_DNS - lb_policy: ROUND_ROBIN - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: { } - load_assignment: - cluster_name: opentelemetry - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: otel-collector - port_value: 4317 - listeners: - - address: - socket_address: - address: 0.0.0.0 - port_value: 8000 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: local - use_remote_address: true - xff_num_trusted_hops: 1 - route_config: - name: local_route - virtual_hosts: - - name: local_service - domains: [ '*' ] - routes: - - match: { prefix: / } - route: - cluster: talker-api - http_filters: - - name: envoy.filters.http.header_to_metadata - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config - request_rules: - - header: x-dyn-user-id - on_header_present: - key: user_id - type: STRING - remove: false - - name: envoy.filters.http.wasm - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - config: - name: kuadrant_wasm - root_id: kuadrant_wasm - vm_config: - vm_id: vm.sentinel.kuadrant_wasm - runtime: envoy.wasm.runtime.v8 - code: - local: - filename: /opt/kuadrant/wasm/wasm_shim.wasm - allow_precompiled: true - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: > - { - "services": { - "authorino": { - "type": "auth", - "endpoint": "authorino_wasm", - "failureMode": "deny" - }, - "limitador": { - "type": "ratelimit", - "endpoint": "limitador", - "failureMode": "deny" - } - }, - "actionSets": [ - { - "name": "auth-ns-A/auth-name-A", - "routeRuleConditions": { - "hostnames": [ - "*.a.auth.com" - ], - "matches": [ - { - "selector": "request.path", - "operator": "eq", - "value": "/get" - } - ] - }, - "actions": [ - { - "service": "authorino", - "scope": "effective-route-1" - } - ] - }, - { - "name": "rlp-ns-A/rlp-name-A", - "routeRuleConditions": { - "hostnames": [ - "*.a.rlp.com" - ] - }, - "actions": [ - { - "service": "limitador", - "scope": "rlp-ns-A/rlp-name-A", - "data": [ - { - "selector": { - "selector": "unknown.path" - } - } - ] - } - ] - }, - { - "name": "rlp-ns-B/rlp-name-B", - "routeRuleConditions": { - "hostnames": [ - "*.b.rlp.com" - ], - "matches": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/unknown-path" - } - ] - }, - "actions": [ - { - "service": "limitador", - "scope": "rlp-ns-B/rlp-name-B", - "data": [ - { - "static": { - "key": "rlp-ns-B/rlp-name-B/limit-not-to-be-activated", - "value": "1" - } - } - ] - } - ] - }, - { - "name": "rlp-ns-C/rlp-name-C", - "routeRuleConditions": { - "hostnames": [ - "*.c.rlp.com" - ], - "matches": [ - { - "selector": "request.url_path", - "operator": "startswith", - "value": "/get" - }, - { - "selector": "request.host", - "operator": "eq", - "value": "test.c.rlp.com" - }, - { - "selector": "request.method", - "operator": "eq", - "value": "GET" - } - ] - }, - "actions": [ - { - "service": "limitador", - "scope": "rlp-ns-C/rlp-name-C", - "data": [ - { - "static": { - "key": "limit_to_be_activated", - "value": "1" - } - }, - { - "selector": { - "selector": "source.address" - } - }, - { - "selector": { - "selector": "request.headers.My-Custom-Header-01" - } - }, - { - "selector": { - "selector": "metadata.filter_metadata.envoy\\.filters\\.http\\.header_to_metadata.user_id", - "key": "user_id" - } - } - ] - } - ] - }, - { - "name": "rlp-ns-D/rlp-name-D", - "hostnames": [ - "*.d.rlp.com" - ], - "rules": [ - { - "conditions": [ - { - "allOf": [ - { - "selector": "source.remote_address", - "operator": "neq", - "value": "50.0.0.1" - } - ] - } - ], - "actions": [ - { - "extension": "limitador", - "scope": "rlp-ns-D/rlp-name-D", - "data": [ - { - "selector": { - "selector": "source.remote_address" - } - } - ] - } - ] - } - ] - }, - { - "name": "multi-ns-A/multi-name-A", - "routeRuleConditions": { - "hostnames": [ - "*.a.multi.com" - ], - "matches": [ - { - "selector": "request.path", - "operator": "eq", - "value": "/get" - } - ] - }, - "actions": [ - { - "service": "authorino", - "scope": "effective-route-1" - }, - { - "service": "limitador", - "scope": "multi-ns-A/multi-name-A", - "data": [ - { - "selector": { - "selector": "filter_state.wasm\\.kuadrant\\.identity\\.userid", - "key": "user_id" - } - } - ] - } - ] - }, - { - "name": "multi-ns-B/multi-name-B", - "routeRuleConditions": { - "hostnames": [ - "*.b.multi.com" - ], - "matches": [ - { - "selector": "request.path", - "operator": "eq", - "value": "/get" - } - ] - }, - "actions": [ - { - "service": "authorino", - "scope": "effective-route-1" - }, - { - "service": "limitador", - "scope": "multi-ns-B/multi-name-B", - "conditions": [ - { - "selector": "filter_state.wasm\\.kuadrant\\.identity\\.userid", - "operator": "eq", - "value": "alice" - } - ], - "data": [ - { - "static": { - "key": "user_id", - "value": "alice" - } - } - ] - } - ] - } - ] - } - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # # Uncomment to enable tracing - # tracing: - # provider: - # name: envoy.tracers.opentelemetry - # typed_config: - # "@type": type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig - # grpc_service: - # envoy_grpc: - # cluster_name: opentelemetry - # timeout: 1s - # service_name: envoy - admin: - address: - socket_address: - address: 0.0.0.0 - port_value: 8001 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: envoy - name: envoy -spec: - replicas: 1 - selector: - matchLabels: - app: envoy - template: - metadata: - labels: - app: envoy - spec: - containers: - - args: - - --config-path /usr/local/etc/envoy/envoy.yaml - - --service-cluster front-proxy - - --log-level info - - --component-log-level wasm:debug,filter:trace,http:debug,router:debug - command: - - /usr/local/bin/envoy - image: envoyproxy/envoy:v1.31-latest - name: envoy - ports: - - containerPort: 8000 - name: web - - containerPort: 8001 - name: admin - volumeMounts: - - mountPath: /usr/local/etc/envoy - name: config - readOnly: true - - mountPath: /etc/ssl/certs/authorino-ca-cert.crt - name: authorino-ca-cert - readOnly: true - subPath: ca.crt - - mountPath: /opt/kuadrant/wasm - name: wasm - volumes: - - configMap: - items: - - key: envoy.yaml - path: envoy.yaml - name: envoy - name: config - - name: authorino-ca-cert - secret: - defaultMode: 420 - secretName: authorino-ca-cert - - name: wasm - hostPath: - path: /opt/kuadrant/wasm ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: envoy - name: envoy -spec: - ports: - - name: web - port: 8000 - protocol: TCP - selector: - app: envoy ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-wildcard-host -spec: - rules: - - host: talker-api.127.0.0.1.nip.io - http: - paths: - - backend: - service: - name: envoy - port: - number: 8000 - path: / - pathType: Prefix diff --git a/utils/deploy/envoy-notls.yaml b/utils/deploy/envoy.yaml similarity index 99% rename from utils/deploy/envoy-notls.yaml rename to utils/deploy/envoy.yaml index 51ddbe3f..edf4cf32 100644 --- a/utils/deploy/envoy-notls.yaml +++ b/utils/deploy/envoy.yaml @@ -24,7 +24,7 @@ data: - endpoint: address: socket_address: - address: authorino-authorino-authorization + address: sample-authorino-authorization port_value: 50051 - name: limitador connect_timeout: 1s @@ -42,7 +42,7 @@ data: - endpoint: address: socket_address: - address: limitador + address: limitador-sample port_value: 8081 - name: talker-api connect_timeout: 0.25s diff --git a/utils/deploy/limitador.yaml b/utils/deploy/limitador.yaml deleted file mode 100644 index 51f231e9..00000000 --- a/utils/deploy/limitador.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: limitador - name: limitador -spec: - replicas: 1 - selector: - matchLabels: - app: limitador - template: - metadata: - labels: - app: limitador - spec: - containers: - - args: - - -vvv - - /opt/kuadrant/limits/limits.yaml - command: - - limitador-server - image: quay.io/kuadrant/limitador:latest - name: limitador - ports: - - containerPort: 8080 - name: http - - containerPort: 8081 - name: grpc - volumeMounts: - - mountPath: /opt/kuadrant/limits - name: limits - volumes: - - configMap: - items: - - key: limits.yaml - path: limits.yaml - name: limits - name: limits ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: limitador - name: limitador -spec: - ports: - - name: http - port: 8080 - protocol: TCP - - name: grpc - port: 8081 - protocol: TCP - selector: - app: limitador diff --git a/utils/deploy/limits.yaml b/utils/deploy/limits.yaml deleted file mode 100644 index c3eceb90..00000000 --- a/utils/deploy/limits.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- namespace: rlp-ns-C/rlp-name-C - max_value: 2 - seconds: 10 - conditions: - - "limit_to_be_activated == '1'" - - "user_id == 'bob'" - variables: [] -- namespace: rlp-ns-D/rlp-name-D - max_value: 2 - seconds: 10 - conditions: [] - variables: - - source.remote_address -- namespace: multi-ns-A/multi-name-A - max_value: 5 - seconds: 10 - conditions: - - "user_id == 'alice'" - variables: [] -- namespace: multi-ns-A/multi-name-A - max_value: 2 - seconds: 10 - conditions: - - "user_id == 'bob'" - variables: [] -- namespace: multi-ns-B/multi-name-B - max_value: 5 - seconds: 10 - conditions: - - "user_id == 'alice'" - variables: [] diff --git a/utils/kustomize/authorino-operator/delete-ns.yaml b/utils/kustomize/authorino-operator/delete-ns.yaml new file mode 100644 index 00000000..63bd2bb5 --- /dev/null +++ b/utils/kustomize/authorino-operator/delete-ns.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: v1 +kind: Namespace +metadata: + name: authorino-operator diff --git a/utils/kustomize/authorino-operator/kustomization.yaml b/utils/kustomize/authorino-operator/kustomization.yaml new file mode 100644 index 00000000..79693880 --- /dev/null +++ b/utils/kustomize/authorino-operator/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kuadrant-system +resources: +- github.com/Kuadrant/authorino-operator/config/deploy?ref=main +patchesStrategicMerge: +- delete-ns.yaml diff --git a/utils/kustomize/authorino/authorino.yaml b/utils/kustomize/authorino/authorino.yaml new file mode 100644 index 00000000..467b71e0 --- /dev/null +++ b/utils/kustomize/authorino/authorino.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: operator.authorino.kuadrant.io/v1beta1 +kind: Authorino +metadata: + name: sample +spec: + clusterWide: true + authConfigLabelSelectors: "" + secretLabelSelectors: authorino.kuadrant.io/managed-by=authorino + logLevel: debug + logMode: development + oidcServer: + tls: + enabled: false + listener: + ports: + grpc: 50051 # set '0' to disable the gRPC interface of the External Authorization server + http: 5001 # set '0' to disable the HTTP interface of the External Authorization server + tls: + enabled: false diff --git a/utils/kustomize/authorino/kustomization.yaml b/utils/kustomize/authorino/kustomization.yaml new file mode 100644 index 00000000..b60a8f37 --- /dev/null +++ b/utils/kustomize/authorino/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kuadrant-system +resources: +- authorino.yaml diff --git a/utils/kustomize/limitador-operator/delete-ns.yaml b/utils/kustomize/limitador-operator/delete-ns.yaml new file mode 100644 index 00000000..1db205e4 --- /dev/null +++ b/utils/kustomize/limitador-operator/delete-ns.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: v1 +kind: Namespace +metadata: + name: limitador-operator-system diff --git a/utils/kustomize/limitador-operator/kustomization.yaml b/utils/kustomize/limitador-operator/kustomization.yaml new file mode 100644 index 00000000..694b8cf3 --- /dev/null +++ b/utils/kustomize/limitador-operator/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kuadrant-system +resources: +- github.com/Kuadrant/limitador-operator/config/default?ref=main +patchesStrategicMerge: +- delete-ns.yaml diff --git a/utils/kustomize/limitador/kustomization.yaml b/utils/kustomize/limitador/kustomization.yaml new file mode 100644 index 00000000..3517229f --- /dev/null +++ b/utils/kustomize/limitador/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kuadrant-system +resources: +- limitador.yaml diff --git a/utils/kustomize/limitador/limitador.yaml b/utils/kustomize/limitador/limitador.yaml new file mode 100644 index 00000000..68069a68 --- /dev/null +++ b/utils/kustomize/limitador/limitador.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: limitador.kuadrant.io/v1alpha1 +kind: Limitador +metadata: + name: sample +spec: + listener: + http: + port: 8080 + grpc: + port: 8081 + limits: + - namespace: rlp-ns-C/rlp-name-C + max_value: 2 + seconds: 10 + conditions: + - "limit_to_be_activated == '1'" + - "user_id == 'bob'" + variables: [] + - namespace: multi-ns-A/multi-name-A + max_value: 5 + seconds: 10 + conditions: + - "user_id == 'alice'" + variables: [] + - namespace: multi-ns-A/multi-name-A + max_value: 2 + seconds: 10 + conditions: + - "user_id == 'bob'" + variables: [] + - namespace: rlp-ns-D/rlp-name-D + max_value: 2 + seconds: 10 + conditions: [] + variables: + - source.remote_address From 3347598dd195f685d7f755a6506981bf06db27b8 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 22 Oct 2024 17:15:07 +0200 Subject: [PATCH 2/3] fix wasm config Signed-off-by: Eguzki Astiz Lezaun --- utils/deploy/envoy.yaml | 30 +++++++++++++----------- utils/kustomize/limitador/limitador.yaml | 6 +++++ 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/utils/deploy/envoy.yaml b/utils/deploy/envoy.yaml index edf4cf32..32c3286d 100644 --- a/utils/deploy/envoy.yaml +++ b/utils/deploy/envoy.yaml @@ -278,21 +278,23 @@ data: }, { "name": "rlp-ns-D/rlp-name-D", - "hostnames": [ - "*.d.rlp.com" - ], - "rules": [ + "routeRuleConditions": { + "hostnames": [ + "*.d.rlp.com" + ], + "matches": [ + { + "selector": "source.remote_address", + "operator": "neq", + "value": "50.0.0.1" + } + ] + }, + "actions": [ { - "conditions": [ - { - "allOf": [ - { - "selector": "source.remote_address", - "operator": "neq", - "value": "50.0.0.1" - } - ] - } + "service": "limitador", + "scope": "rlp-ns-D/rlp-name-D, + "data": [ ], "actions": [ { diff --git a/utils/kustomize/limitador/limitador.yaml b/utils/kustomize/limitador/limitador.yaml index 68069a68..d80cf3f5 100644 --- a/utils/kustomize/limitador/limitador.yaml +++ b/utils/kustomize/limitador/limitador.yaml @@ -35,3 +35,9 @@ spec: conditions: [] variables: - source.remote_address + - namespace: multi-ns-B/multi-name-B + max_value: 5 + seconds: 10 + conditions: + - "user_id == 'alice'" + variables: [] From 5c9685b5f9d6c0d1bd13d303265d82547560f37d Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 22 Oct 2024 17:29:55 +0200 Subject: [PATCH 3/3] fix wasm config && deploy limitador in verbose mode Signed-off-by: Eguzki Astiz Lezaun --- README.md | 6 ++++++ utils/deploy/envoy.yaml | 2 +- utils/kustomize/limitador/limitador.yaml | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f3cd9202..62ad7980 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,12 @@ curl -H "Host: test.b.rlp.com" http://127.0.0.1:8000/get -i curl -H "Host: test.c.rlp.com" -H "x-forwarded-for: 50.0.0.1" -H "My-Custom-Header-01: my-custom-header-value-01" -H "x-dyn-user-id: bob" http://127.0.0.1:8000/get -i ``` +Check limitador logs for received descriptor entries. + +```sh +kubectl logs -f deployment/limitador-sample -n kuadrant-system +``` + The expected descriptor entries: ``` diff --git a/utils/deploy/envoy.yaml b/utils/deploy/envoy.yaml index 32c3286d..1f720660 100644 --- a/utils/deploy/envoy.yaml +++ b/utils/deploy/envoy.yaml @@ -293,7 +293,7 @@ data: "actions": [ { "service": "limitador", - "scope": "rlp-ns-D/rlp-name-D, + "scope": "rlp-ns-D/rlp-name-D", "data": [ ], "actions": [ diff --git a/utils/kustomize/limitador/limitador.yaml b/utils/kustomize/limitador/limitador.yaml index d80cf3f5..62869054 100644 --- a/utils/kustomize/limitador/limitador.yaml +++ b/utils/kustomize/limitador/limitador.yaml @@ -4,6 +4,7 @@ kind: Limitador metadata: name: sample spec: + verbosity: 3 listener: http: port: 8080