From 65ef770d2dc4cd547a64af4272f526851be46b04 Mon Sep 17 00:00:00 2001 From: tharindu1st Date: Sun, 7 Apr 2024 21:18:23 +0530 Subject: [PATCH] implement global cors configuration --- adapter/config/default_config.go | 9 + adapter/config/types.go | 12 ++ .../envoyconf/routes_with_clusters.go | 2 +- .../envoyconf/routes_with_clusters_test.go | 13 +- .../internal/oasparser/model/http_route.go | 29 ++- .../operator/controllers/dp/api_controller.go | 4 +- common-go-libs/PROJECT | 9 +- .../apis/dp/v1alpha1/apipolicy_conversion.go | 184 ++++++++++++++++ .../dp/v1alpha1/authentication_conversion.go | 201 ++++++++++-------- .../dp/v1alpha1/authentication_webhook.go | 60 ------ .../dp/v1alpha1/tokenissuer_conversion.go | 187 +++++++++------- .../apis/dp/v1alpha2/apipolicy_conversion.go | 23 ++ .../crds/dp.wso2.com_apipolicies.yaml | 13 ++ .../crds/dp.wso2.com_authentications.yaml | 13 ++ .../crds/dp.wso2.com_tokenissuers.yaml | 13 ++ .../config-deployer/config-api-apipolicy.yaml | 2 + .../config-deployer/config-api-route.yaml | 2 + .../config-deploy-api-create-scope.yaml | 2 + .../config-deployer-api-backendjwt.yaml | 2 + .../config-deployer-domain-api-backend.yaml | 2 + .../config-deployer/config-ds-configmap.yaml | 6 +- .../config-generator-domain-api-backend.yaml | 2 + ...igurator-api-no-authentication-policy.yaml | 4 +- .../wso2-apk-config-deployer-api.yaml | 2 +- .../wso2-apk-config-generator-api.yaml | 2 +- .../adapter-mutating-webhook-config.yaml | 2 +- .../adapter-validation-webhook-config.yaml | 2 +- .../gateway-runtime/default-jwt-issuer.yaml | 4 +- .../gateway-runtime/idp-jwt-issuer.yaml | 4 +- .../jwks-domain-api--authentication.yaml | 4 +- .../jwks-domain-api-backend.yaml | 2 + .../gateway-runtime/jwks-domain-api.yaml | 2 +- ...onEndpoint-domain-api--authentication.yaml | 4 +- ...enticationEndpoint-domain-api-backend.yaml | 2 + .../authenticationEndpoint-domain-api.yaml | 2 +- .../idp/commonoauth-domain-api-backend.yaml | 2 + ...monoauth-domain-api-no-authentication.yaml | 4 +- .../templates/idp/commonoauth-domain-api.yaml | 2 +- .../templates/idp/dcr-domain-api-backend.yaml | 2 + .../idp/dcr-domain-api-no-authentication.yaml | 4 +- helm-charts/templates/idp/dcr-domain-api.yaml | 2 +- .../templates/idp/idp-ui/idp-ui-backend.yaml | 2 + .../idp/oauth-domain-api-backend.yaml | 2 + .../oauth-domain-api-no-authentication.yaml | 4 +- .../templates/idp/oauth-domain-api.yaml | 2 +- helm-charts/values.yaml | 1 + .../ballerina/APIClient.bal | 31 +-- .../ballerina/Dependencies.toml | 2 +- .../ballerina/modules/model/APIPolicy.bal | 3 +- .../ballerina/resources/apk-conf-schema.yaml | 1 - .../ballerina/types.bal | 4 +- .../resources/tests/api-with-cors-policy.yaml | 15 +- 52 files changed, 620 insertions(+), 289 deletions(-) create mode 100644 common-go-libs/apis/dp/v1alpha1/apipolicy_conversion.go create mode 100644 common-go-libs/apis/dp/v1alpha2/apipolicy_conversion.go rename helm-charts/{ => templates}/crds/dp.wso2.com_apipolicies.yaml (97%) rename helm-charts/{ => templates}/crds/dp.wso2.com_authentications.yaml (98%) rename helm-charts/{ => templates}/crds/dp.wso2.com_tokenissuers.yaml (97%) diff --git a/adapter/config/default_config.go b/adapter/config/default_config.go index bb33986b9..ac8691917 100644 --- a/adapter/config/default_config.go +++ b/adapter/config/default_config.go @@ -175,6 +175,15 @@ var defaultConfig = &Config{ EnableOutboundCertificateHeader: false, }, }, + Cors: cors{ + Enabled: true, + AccessControlAllowOrigins: []string{"*"}, + AccessControlAllowMethods: []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"}, + AccessControlAllowHeaders: []string{"authorization", "Access-Control-Allow-Origin", "Content-Type", "Internal-key"}, + AccessControlAllowCredentials: false, + AccessControlExposeHeaders: []string{"*"}, + }, + AuthService: authService{ Port: 8081, MaxMessageSize: 1000000000, diff --git a/adapter/config/types.go b/adapter/config/types.go index 92cb283b1..7b6c81740 100644 --- a/adapter/config/types.go +++ b/adapter/config/types.go @@ -165,6 +165,18 @@ type enforcer struct { MandateSubscriptionValidation bool MandateInternalKeyValidation bool Client httpClient + Cors cors +} + +// Cors represents the configurations related to Cross-Origin Resource Sharing +type cors struct { + Enabled bool + AccessControlAllowOrigins []string + AccessControlAllowMethods []string + AccessControlAllowHeaders []string + AccessControlMaxAge *int + AccessControlAllowCredentials bool + AccessControlExposeHeaders []string } // Router to enforcer request body passing configurations diff --git a/adapter/internal/oasparser/envoyconf/routes_with_clusters.go b/adapter/internal/oasparser/envoyconf/routes_with_clusters.go index 0795f6df7..acb0edb51 100644 --- a/adapter/internal/oasparser/envoyconf/routes_with_clusters.go +++ b/adapter/internal/oasparser/envoyconf/routes_with_clusters.go @@ -116,7 +116,7 @@ func CreateRoutesWithClusters(adapterInternalAPI *model.AdapterInternalAPI, inte corsConfig := adapterInternalAPI.GetCorsConfig() var methods []string - if corsConfig != nil { + if corsConfig != nil && corsConfig.Enabled { methods = append(methods, "GET", "OPTIONS") } else { methods = append(methods, "GET") diff --git a/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go b/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go index bd141ca35..a9697dacd 100644 --- a/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go +++ b/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go @@ -24,6 +24,7 @@ import ( "github.com/wso2/apk/adapter/internal/dataholder" "github.com/wso2/apk/adapter/internal/discovery/xds" + "github.com/wso2/apk/adapter/internal/loggers" envoy "github.com/wso2/apk/adapter/internal/oasparser/envoyconf" "github.com/wso2/apk/adapter/internal/operator/constants" "github.com/wso2/apk/adapter/internal/operator/synchronizer" @@ -131,7 +132,6 @@ func TestCreateRoutesWithClustersWithExactAndRegularExpressionRules(t *testing.T httpRouteState.BackendMapping = backendMapping apiState.ProdHTTPRoute = &httpRouteState - adapterInternalAPI, labels, err := synchronizer.UpdateInternalMapsFromHTTPRoute(apiState, &httpRouteState, constants.Production) assert.Equal(t, map[string]struct{}{"default-gateway": {}}, labels, "Labels are incorrect.") assert.Nil(t, err, "Error should not be present when apiState is converted to a AdapterInternalAPI object") @@ -172,11 +172,14 @@ func TestCreateRoutesWithClustersWithExactAndRegularExpressionRules(t *testing.T assert.Equal(t, uint32(7002), regexPathClusterPort, "Regex path cluster's assigned host is incorrect.") assert.Equal(t, uint32(0), regexPathClusterPriority, "Regex path cluster's assigned priority is incorrect.") - assert.Equal(t, 3, len(routes), "Created number of routes are incorrect.") - assert.Contains(t, []string{"^/test-api/2\\.0\\.0/exact-path-api/2\\.0\\.0/\\(\\.\\*\\)/exact-path([/]{0,1})"}, routes[1].GetMatch().GetSafeRegex().Regex) - assert.Contains(t, []string{"^/test-api/2\\.0\\.0/regex-path/2.0.0/userId/([^/]+)/orderId/([^/]+)([/]{0,1})"}, routes[2].GetMatch().GetSafeRegex().Regex) - assert.NotEqual(t, routes[1].GetMatch().GetSafeRegex().Regex, routes[2].GetMatch().GetSafeRegex().Regex, + assert.Equal(t, 5, len(routes), "Created number of routes are incorrect.") + assert.Contains(t, []string{"^/test-api/2\\.0\\.0/exact-path-api/2\\.0\\.0/\\(\\.\\*\\)/exact-path([/]{0,1})"}, routes[2].GetMatch().GetSafeRegex().Regex) + assert.Contains(t, []string{"^/test-api/2\\.0\\.0/regex-path/2.0.0/userId/([^/]+)/orderId/([^/]+)([/]{0,1})"}, routes[3].GetMatch().GetSafeRegex().Regex) + assert.NotEqual(t, routes[2].GetMatch().GetSafeRegex().Regex, routes[3].GetMatch().GetSafeRegex().Regex, "The route regex for the two paths should not be the same") + for _, route := range routes { + loggers.LoggerAPKOperator.Infof("routes ==" + route.GetMatch().GetSafeRegex().Regex) + } } func TestExtractAPIDetailsFromHTTPRouteForDefaultCase(t *testing.T) { diff --git a/adapter/internal/oasparser/model/http_route.go b/adapter/internal/oasparser/model/http_route.go index d3d7f40a0..58bdeebde 100644 --- a/adapter/internal/oasparser/model/http_route.go +++ b/adapter/internal/oasparser/model/http_route.go @@ -19,6 +19,7 @@ package model import ( "github.com/google/uuid" + "github.com/wso2/apk/adapter/config" "github.com/wso2/apk/adapter/internal/oasparser/constants" "github.com/wso2/apk/adapter/internal/operator/utils" dpv1alpha1 "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1" @@ -68,23 +69,31 @@ func parseBackendJWTTokenToInternal(backendJWTToken dpv1alpha1.BackendJWTSpec) * } func getCorsConfigFromAPIPolicy(apiPolicy *dpv1alpha2.APIPolicy) *CorsConfig { - var corsConfig *CorsConfig + globalCorsConfig := config.ReadConfigs().Enforcer.Cors + + var corsConfig = CorsConfig{ + Enabled: globalCorsConfig.Enabled, + AccessControlAllowCredentials: globalCorsConfig.AccessControlAllowCredentials, + AccessControlAllowHeaders: globalCorsConfig.AccessControlAllowHeaders, + AccessControlAllowMethods: globalCorsConfig.AccessControlAllowMethods, + AccessControlAllowOrigins: globalCorsConfig.AccessControlAllowOrigins, + AccessControlExposeHeaders: globalCorsConfig.AccessControlExposeHeaders, + AccessControlMaxAge: globalCorsConfig.AccessControlMaxAge, + } if apiPolicy != nil && apiPolicy.Spec.Override != nil { if apiPolicy.Spec.Override.CORSPolicy != nil { - corsConfig = &CorsConfig{ - Enabled: true, - AccessControlAllowCredentials: apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowCredentials, - AccessControlAllowHeaders: apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowHeaders, - AccessControlAllowMethods: apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowMethods, - AccessControlAllowOrigins: apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowOrigins, - AccessControlExposeHeaders: apiPolicy.Spec.Override.CORSPolicy.AccessControlExposeHeaders, - } + corsConfig.Enabled = apiPolicy.Spec.Override.CORSPolicy.Enabled + corsConfig.AccessControlAllowCredentials = apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowCredentials + corsConfig.AccessControlAllowHeaders = apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowHeaders + corsConfig.AccessControlAllowMethods = apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowMethods + corsConfig.AccessControlAllowOrigins = apiPolicy.Spec.Override.CORSPolicy.AccessControlAllowOrigins + corsConfig.AccessControlExposeHeaders = apiPolicy.Spec.Override.CORSPolicy.AccessControlExposeHeaders if apiPolicy.Spec.Override.CORSPolicy.AccessControlMaxAge != nil { corsConfig.AccessControlMaxAge = apiPolicy.Spec.Override.CORSPolicy.AccessControlMaxAge } } } - return corsConfig + return &corsConfig } func parseRateLimitPolicyToInternal(ratelimitPolicy *dpv1alpha1.RateLimitPolicy) *RateLimitPolicy { diff --git a/adapter/internal/operator/controllers/dp/api_controller.go b/adapter/internal/operator/controllers/dp/api_controller.go index ad6eeb0fd..0c13b4570 100644 --- a/adapter/internal/operator/controllers/dp/api_controller.go +++ b/adapter/internal/operator/controllers/dp/api_controller.go @@ -1070,8 +1070,8 @@ func (apiReconciler *APIReconciler) retriveParentAPIsAndUpdateOwnerReferene(ctx } requests = apiReconciler.getAPIsForInterceptorService(ctx, &interceptorService) apiReconciler.handleOwnerReference(ctx, &interceptorService, &requests) - case *dpv1alpha1.APIPolicy: - var apiPolicy dpv1alpha1.APIPolicy + case *dpv1alpha2.APIPolicy: + var apiPolicy dpv1alpha2.APIPolicy namesapcedName := types.NamespacedName{ Name: string(obj.GetName()), Namespace: string(obj.GetNamespace()), diff --git a/common-go-libs/PROJECT b/common-go-libs/PROJECT index 51763f3fd..89fbcd315 100644 --- a/common-go-libs/PROJECT +++ b/common-go-libs/PROJECT @@ -1,7 +1,3 @@ -# Code generated by tool. DO NOT EDIT. -# This file is used to track the info used to scaffold your project -# and allow the plugins properly work. -# More info: https://book.kubebuilder.io/reference/project-config.html domain: wso2.com layout: - go.kubebuilder.io/v3 @@ -46,6 +42,7 @@ resources: path: github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1 version: v1alpha1 webhooks: + conversion: true defaulting: true validation: true webhookVersion: v1 @@ -130,6 +127,10 @@ resources: kind: APIPolicy path: github.com/wso2/apk/common-go-libs/apis/dp/v1alpha2 version: v1alpha2 + webhooks: + conversion: true + defaulting: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true diff --git a/common-go-libs/apis/dp/v1alpha1/apipolicy_conversion.go b/common-go-libs/apis/dp/v1alpha1/apipolicy_conversion.go new file mode 100644 index 000000000..7089ceb3d --- /dev/null +++ b/common-go-libs/apis/dp/v1alpha1/apipolicy_conversion.go @@ -0,0 +1,184 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package v1alpha1 + +import ( + "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha2" + "sigs.k8s.io/controller-runtime/pkg/conversion" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +// ConvertTo converts this API CR to the Hub version (v1alpha2). +// src is v1alpha1.API and dst is v1alpha2.API. +func (src *APIPolicy) ConvertTo(dstRaw conversion.Hub) error { + + dst := dstRaw.(*v1alpha2.APIPolicy) + dst.ObjectMeta = src.ObjectMeta + if src.Spec.Default != nil { + var convertedSpec = v1alpha2.PolicySpec{} + if src.Spec.Default.BackendJWTPolicy != nil { + convertedSpec.BackendJWTPolicy = &v1alpha2.BackendJWTToken{ + Name: src.Spec.Default.BackendJWTPolicy.Name} + } + if src.Spec.Default.CORSPolicy != nil { + convertedSpec.CORSPolicy = &v1alpha2.CORSPolicy{ + Enabled: true, + AccessControlAllowCredentials: src.Spec.Default.CORSPolicy.AccessControlAllowCredentials, + AccessControlAllowHeaders: src.Spec.Default.CORSPolicy.AccessControlAllowHeaders, + AccessControlAllowMethods: src.Spec.Default.CORSPolicy.AccessControlAllowMethods, + AccessControlAllowOrigins: src.Spec.Default.CORSPolicy.AccessControlAllowOrigins, + AccessControlExposeHeaders: src.Spec.Default.CORSPolicy.AccessControlExposeHeaders, + AccessControlMaxAge: src.Spec.Default.CORSPolicy.AccessControlMaxAge} + } + if src.Spec.Default.RequestInterceptors != nil { + convertedSpec.RequestInterceptors = []v1alpha2.InterceptorReference{} + for _, interceptor := range src.Spec.Default.RequestInterceptors { + convertedSpec.RequestInterceptors = append(convertedSpec.RequestInterceptors, v1alpha2.InterceptorReference{ + Name: interceptor.Name}) + } + } + if src.Spec.Default.ResponseInterceptors != nil { + convertedSpec.ResponseInterceptors = []v1alpha2.InterceptorReference{} + for _, interceptor := range src.Spec.Default.ResponseInterceptors { + convertedSpec.ResponseInterceptors = append(convertedSpec.ResponseInterceptors, v1alpha2.InterceptorReference{ + Name: interceptor.Name}) + } + } + convertedSpec.SubscriptionValidation = false + dst.Spec.Default = &convertedSpec + } + + if src.Spec.Override != nil { + var convertedSpec = v1alpha2.PolicySpec{} + if src.Spec.Override.BackendJWTPolicy != nil { + convertedSpec.BackendJWTPolicy = &v1alpha2.BackendJWTToken{ + Name: src.Spec.Override.BackendJWTPolicy.Name} + } + if src.Spec.Override.CORSPolicy != nil { + convertedSpec.CORSPolicy = &v1alpha2.CORSPolicy{ + Enabled: true, + AccessControlAllowCredentials: src.Spec.Override.CORSPolicy.AccessControlAllowCredentials, + AccessControlAllowHeaders: src.Spec.Override.CORSPolicy.AccessControlAllowHeaders, + AccessControlAllowMethods: src.Spec.Override.CORSPolicy.AccessControlAllowMethods, + AccessControlAllowOrigins: src.Spec.Override.CORSPolicy.AccessControlAllowOrigins, + AccessControlExposeHeaders: src.Spec.Override.CORSPolicy.AccessControlExposeHeaders, + AccessControlMaxAge: src.Spec.Override.CORSPolicy.AccessControlMaxAge} + } + if src.Spec.Override.RequestInterceptors != nil { + convertedSpec.RequestInterceptors = []v1alpha2.InterceptorReference{} + for _, interceptor := range src.Spec.Override.RequestInterceptors { + convertedSpec.RequestInterceptors = append(convertedSpec.RequestInterceptors, v1alpha2.InterceptorReference{ + Name: interceptor.Name}) + } + } + if src.Spec.Override.ResponseInterceptors != nil { + convertedSpec.ResponseInterceptors = []v1alpha2.InterceptorReference{} + for _, interceptor := range src.Spec.Override.ResponseInterceptors { + convertedSpec.ResponseInterceptors = append(convertedSpec.ResponseInterceptors, v1alpha2.InterceptorReference{ + Name: interceptor.Name}) + } + } + convertedSpec.SubscriptionValidation = false + dst.Spec.Override = &convertedSpec + } + if src.Spec.TargetRef.Name != "" { + dst.Spec.TargetRef = gwapiv1b1.PolicyTargetReference{ + Name: src.Spec.TargetRef.Name, + Group: src.Spec.TargetRef.Group, + Kind: src.Spec.TargetRef.Kind} + } + return nil +} + +// ConvertFrom converts from the Hub version (v1alpha2) to this version. +// src is v1alpha1.API and dst is v1alpha2.API. +func (src *APIPolicy) ConvertFrom(srcRaw conversion.Hub) error { + + dst := srcRaw.(*v1alpha2.APIPolicy) + src.ObjectMeta = dst.ObjectMeta + // Spec + if dst.Spec.Default != nil { + var convertedSpec = PolicySpec{} + if dst.Spec.Default.BackendJWTPolicy != nil { + convertedSpec.BackendJWTPolicy = &BackendJWTToken{ + Name: dst.Spec.Default.BackendJWTPolicy.Name} + } + if dst.Spec.Default.CORSPolicy != nil { + convertedSpec.CORSPolicy = &CORSPolicy{ + AccessControlAllowCredentials: dst.Spec.Default.CORSPolicy.AccessControlAllowCredentials, + AccessControlAllowHeaders: dst.Spec.Default.CORSPolicy.AccessControlAllowHeaders, + AccessControlAllowMethods: dst.Spec.Default.CORSPolicy.AccessControlAllowMethods, + AccessControlAllowOrigins: dst.Spec.Default.CORSPolicy.AccessControlAllowOrigins, + AccessControlExposeHeaders: dst.Spec.Default.CORSPolicy.AccessControlExposeHeaders, + AccessControlMaxAge: dst.Spec.Default.CORSPolicy.AccessControlMaxAge} + } + if dst.Spec.Default.RequestInterceptors != nil { + convertedSpec.RequestInterceptors = []InterceptorReference{} + for _, interceptor := range dst.Spec.Default.RequestInterceptors { + convertedSpec.RequestInterceptors = append(convertedSpec.RequestInterceptors, InterceptorReference{ + Name: interceptor.Name}) + } + } + if dst.Spec.Default.ResponseInterceptors != nil { + convertedSpec.ResponseInterceptors = []InterceptorReference{} + for _, interceptor := range dst.Spec.Default.ResponseInterceptors { + convertedSpec.ResponseInterceptors = append(convertedSpec.ResponseInterceptors, InterceptorReference{ + Name: interceptor.Name}) + } + } + src.Spec.Default = &convertedSpec + } + if dst.Spec.Override != nil { + var convertedSpec = PolicySpec{} + if dst.Spec.Override.BackendJWTPolicy != nil { + convertedSpec.BackendJWTPolicy = &BackendJWTToken{ + Name: dst.Spec.Override.BackendJWTPolicy.Name} + } + if dst.Spec.Override.CORSPolicy != nil { + convertedSpec.CORSPolicy = &CORSPolicy{ + AccessControlAllowCredentials: dst.Spec.Override.CORSPolicy.AccessControlAllowCredentials, + AccessControlAllowHeaders: dst.Spec.Override.CORSPolicy.AccessControlAllowHeaders, + AccessControlAllowMethods: dst.Spec.Override.CORSPolicy.AccessControlAllowMethods, + AccessControlAllowOrigins: dst.Spec.Override.CORSPolicy.AccessControlAllowOrigins, + AccessControlExposeHeaders: dst.Spec.Override.CORSPolicy.AccessControlExposeHeaders, + AccessControlMaxAge: dst.Spec.Override.CORSPolicy.AccessControlMaxAge} + } + if dst.Spec.Override.RequestInterceptors != nil { + convertedSpec.RequestInterceptors = []InterceptorReference{} + for _, interceptor := range dst.Spec.Override.RequestInterceptors { + convertedSpec.RequestInterceptors = append(convertedSpec.RequestInterceptors, InterceptorReference{ + Name: interceptor.Name}) + } + } + if dst.Spec.Override.ResponseInterceptors != nil { + convertedSpec.ResponseInterceptors = []InterceptorReference{} + for _, interceptor := range dst.Spec.Override.ResponseInterceptors { + convertedSpec.ResponseInterceptors = append(convertedSpec.ResponseInterceptors, InterceptorReference{ + Name: interceptor.Name}) + } + } + src.Spec.Override = &convertedSpec + } + if dst.Spec.TargetRef.Name != "" { + src.Spec.TargetRef = gwapiv1b1.PolicyTargetReference{ + Name: dst.Spec.TargetRef.Name, + Group: dst.Spec.TargetRef.Group, + Kind: dst.Spec.TargetRef.Kind} + } + return nil +} diff --git a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go index e9f28d11d..6843cc7e7 100644 --- a/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go +++ b/common-go-libs/apis/dp/v1alpha1/authentication_conversion.go @@ -31,65 +31,72 @@ func (src *Authentication) ConvertTo(dstRaw conversion.Hub) error { // Spec dst.Spec.TargetRef = src.Spec.TargetRef - - dst.Spec.Default.Disabled = src.Spec.Default.Disabled - dst.Spec.Override.Disabled = src.Spec.Override.Disabled - - // Convert Oauth2Auth default to v1alpha2.Oauth2Auth : Required field added as mandatory for OAuth2 - dst.Spec.Default.AuthTypes.Oauth2 = v1alpha2.Oauth2Auth{ - Required: "mandatory", - Disabled: src.Spec.Default.AuthTypes.Oauth2.Disabled, - Header: src.Spec.Default.AuthTypes.Oauth2.Header, - SendTokenToUpstream: src.Spec.Default.AuthTypes.Oauth2.SendTokenToUpstream, - } - - // Convert Oauth2Auth override to v1alpha2.Oauth2Auth : Required field added as mandatory for OAuth2 - dst.Spec.Override.AuthTypes.Oauth2 = v1alpha2.Oauth2Auth{ - Required: "mandatory", - Disabled: src.Spec.Default.AuthTypes.Oauth2.Disabled, - Header: src.Spec.Default.AuthTypes.Oauth2.Header, - SendTokenToUpstream: src.Spec.Default.AuthTypes.Oauth2.SendTokenToUpstream, - } - - // Convert Oauth2Auth Default to v1alpha2.APIKey : Required field added as optional for APIKey - for _, apiKeyAuth := range src.Spec.Default.AuthTypes.APIKey { - convertedAPIKeyAuth := v1alpha2.APIKeyAuth{ - In: apiKeyAuth.In, - Name: apiKeyAuth.Name, - SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, - } - dst.Spec.Default.AuthTypes.APIKey = append(dst.Spec.Default.AuthTypes.APIKey, convertedAPIKeyAuth) - } - - // Convert Oauth2Auth Override to v1alpha2.APIKey : Required field added as optional for APIKey - for _, apiKeyAuth := range src.Spec.Override.AuthTypes.APIKey { - convertedAPIKeyAuth := v1alpha2.APIKeyAuth{ - In: apiKeyAuth.In, - Name: apiKeyAuth.Name, - SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, - } - dst.Spec.Override.AuthTypes.APIKey = append(dst.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) - } - - // Convert testConsoleKey Override to v1alpha2.JWT - if src.Spec.Override.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { - dst.Spec.Override.AuthTypes.JWT = v1alpha2.JWT{ - Header: src.Spec.Override.AuthTypes.TestConsoleKey.Header, - SendTokenToUpstream: src.Spec.Override.AuthTypes.TestConsoleKey.SendTokenToUpstream, + if src.Spec.Default != nil { + defaultAuthv1Spec := src.Spec.Default + defaultAuthenticationSpec := v1alpha2.AuthSpec{} + defaultAuthenticationSpec.Disabled = defaultAuthv1Spec.Disabled + if defaultAuthv1Spec.AuthTypes != nil { + v1alpha2authTypes := v1alpha2.APIAuth{} + v1alpha2authTypes.Oauth2 = v1alpha2.Oauth2Auth{ + Required: "mandatory", + Disabled: defaultAuthv1Spec.AuthTypes.Oauth2.Disabled, + Header: defaultAuthv1Spec.AuthTypes.Oauth2.Header, + SendTokenToUpstream: defaultAuthv1Spec.AuthTypes.Oauth2.SendTokenToUpstream, + } + // Convert Oauth2Auth Default to v1alpha2.APIKey : Required field added as optional for APIKey + for _, apiKeyAuth := range defaultAuthv1Spec.AuthTypes.APIKey { + convertedAPIKeyAuth := v1alpha2.APIKeyAuth{ + In: apiKeyAuth.In, + Name: apiKeyAuth.Name, + SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + } + v1alpha2authTypes.APIKey = append(v1alpha2authTypes.APIKey, convertedAPIKeyAuth) + } + if defaultAuthv1Spec.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { + v1alpha2authTypes.JWT = v1alpha2.JWT{ + Header: defaultAuthv1Spec.AuthTypes.TestConsoleKey.Header, + SendTokenToUpstream: defaultAuthv1Spec.AuthTypes.TestConsoleKey.SendTokenToUpstream, + } + } + defaultAuthenticationSpec.AuthTypes = &v1alpha2authTypes } + dst.Spec.Default = &defaultAuthenticationSpec } - // Convert testConsoleKey Default to v1alpha2.JWT - if src.Spec.Default.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { - dst.Spec.Default.AuthTypes.JWT = v1alpha2.JWT{ - Header: src.Spec.Default.AuthTypes.TestConsoleKey.Header, - SendTokenToUpstream: src.Spec.Default.AuthTypes.TestConsoleKey.SendTokenToUpstream, + if src.Spec.Override != nil { + overrideAuthv1Spec := src.Spec.Override + overrideAuthenticationSpec := v1alpha2.AuthSpec{} + overrideAuthenticationSpec.Disabled = overrideAuthv1Spec.Disabled + if overrideAuthv1Spec.AuthTypes != nil { + v1alpha2authTypes := v1alpha2.APIAuth{} + v1alpha2authTypes.Oauth2 = v1alpha2.Oauth2Auth{ + Required: "mandatory", + Disabled: overrideAuthv1Spec.AuthTypes.Oauth2.Disabled, + Header: overrideAuthv1Spec.AuthTypes.Oauth2.Header, + SendTokenToUpstream: overrideAuthv1Spec.AuthTypes.Oauth2.SendTokenToUpstream, + } + // Convert Oauth2Auth Default to v1alpha2.APIKey : Required field added as optional for APIKey + for _, apiKeyAuth := range overrideAuthv1Spec.AuthTypes.APIKey { + convertedAPIKeyAuth := v1alpha2.APIKeyAuth{ + In: apiKeyAuth.In, + Name: apiKeyAuth.Name, + SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + } + v1alpha2authTypes.APIKey = append(v1alpha2authTypes.APIKey, convertedAPIKeyAuth) + } + if overrideAuthv1Spec.AuthTypes.TestConsoleKey != (TestConsoleKeyAuth{}) { + v1alpha2authTypes.JWT = v1alpha2.JWT{ + Header: overrideAuthv1Spec.AuthTypes.TestConsoleKey.Header, + SendTokenToUpstream: overrideAuthv1Spec.AuthTypes.TestConsoleKey.SendTokenToUpstream, + } + } + overrideAuthenticationSpec.AuthTypes = &v1alpha2authTypes } + dst.Spec.Override = &overrideAuthenticationSpec } // Status dst.Status = v1alpha2.AuthenticationStatus(src.Status) - return nil } @@ -102,51 +109,65 @@ func (src *Authentication) ConvertFrom(srcRaw conversion.Hub) error { // Spec src.Spec.TargetRef = dst.Spec.TargetRef - - src.Spec.Default.Disabled = dst.Spec.Default.Disabled - src.Spec.Override.Disabled = dst.Spec.Override.Disabled - src.Spec.Default.AuthTypes.Oauth2 = Oauth2Auth{ - Disabled: src.Spec.Default.AuthTypes.Oauth2.Disabled, - Header: src.Spec.Default.AuthTypes.Oauth2.Header, - SendTokenToUpstream: src.Spec.Default.AuthTypes.Oauth2.SendTokenToUpstream, - } - src.Spec.Override.AuthTypes.Oauth2 = Oauth2Auth{ - Disabled: src.Spec.Override.AuthTypes.Oauth2.Disabled, - Header: src.Spec.Override.AuthTypes.Oauth2.Header, - SendTokenToUpstream: src.Spec.Override.AuthTypes.Oauth2.SendTokenToUpstream, - } - - for _, apiKeyAuth := range dst.Spec.Default.AuthTypes.APIKey { - convertedAPIKeyAuth := APIKeyAuth{ - In: apiKeyAuth.In, - Name: apiKeyAuth.Name, - SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + if dst.Spec.Default != nil { + defaultAuthv2Spec := dst.Spec.Default + defaultAuthenticationSpec := AuthSpec{} + defaultAuthenticationSpec.Disabled = defaultAuthv2Spec.Disabled + if defaultAuthv2Spec.AuthTypes != nil { + v1alpha1authTypes := APIAuth{} + v1alpha1authTypes.Oauth2 = Oauth2Auth{ + Disabled: defaultAuthv2Spec.AuthTypes.Oauth2.Disabled, + Header: defaultAuthv2Spec.AuthTypes.Oauth2.Header, + SendTokenToUpstream: defaultAuthv2Spec.AuthTypes.Oauth2.SendTokenToUpstream, + } + // Convert Oauth2Auth Default to v1alpha2.APIKey : Required field added as optional for APIKey + for _, apiKeyAuth := range defaultAuthv2Spec.AuthTypes.APIKey { + convertedAPIKeyAuth := APIKeyAuth{ + In: apiKeyAuth.In, + Name: apiKeyAuth.Name, + SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + } + v1alpha1authTypes.APIKey = append(v1alpha1authTypes.APIKey, convertedAPIKeyAuth) + } + v1alpha1authTypes.TestConsoleKey = TestConsoleKeyAuth{ + Header: defaultAuthv2Spec.AuthTypes.JWT.Header, + SendTokenToUpstream: defaultAuthv2Spec.AuthTypes.JWT.SendTokenToUpstream, + } + defaultAuthenticationSpec.AuthTypes = &v1alpha1authTypes } - src.Spec.Default.AuthTypes.APIKey = append(src.Spec.Default.AuthTypes.APIKey, convertedAPIKeyAuth) + src.Spec.Default = &defaultAuthenticationSpec } - for _, apiKeyAuth := range dst.Spec.Override.AuthTypes.APIKey { - convertedAPIKeyAuth := APIKeyAuth{ - In: apiKeyAuth.In, - Name: apiKeyAuth.Name, - SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + if dst.Spec.Override != nil { + overrideAuthv2Spec := dst.Spec.Override + overrideAuthenticationSpec := AuthSpec{} + overrideAuthenticationSpec.Disabled = overrideAuthv2Spec.Disabled + if overrideAuthv2Spec.AuthTypes != nil { + v1alpha1authTypes := APIAuth{} + v1alpha1authTypes.Oauth2 = Oauth2Auth{ + Disabled: overrideAuthv2Spec.AuthTypes.Oauth2.Disabled, + Header: overrideAuthv2Spec.AuthTypes.Oauth2.Header, + SendTokenToUpstream: overrideAuthv2Spec.AuthTypes.Oauth2.SendTokenToUpstream, + } + // Convert Oauth2Auth Default to v1alpha2.APIKey : Required field added as optional for APIKey + for _, apiKeyAuth := range overrideAuthv2Spec.AuthTypes.APIKey { + convertedAPIKeyAuth := APIKeyAuth{ + In: apiKeyAuth.In, + Name: apiKeyAuth.Name, + SendTokenToUpstream: apiKeyAuth.SendTokenToUpstream, + } + v1alpha1authTypes.APIKey = append(v1alpha1authTypes.APIKey, convertedAPIKeyAuth) + } + v1alpha1authTypes.TestConsoleKey = TestConsoleKeyAuth{ + Header: overrideAuthv2Spec.AuthTypes.JWT.Header, + SendTokenToUpstream: overrideAuthv2Spec.AuthTypes.JWT.SendTokenToUpstream, + } + overrideAuthenticationSpec.AuthTypes = &v1alpha1authTypes } - src.Spec.Override.AuthTypes.APIKey = append(src.Spec.Override.AuthTypes.APIKey, convertedAPIKeyAuth) + src.Spec.Override = &overrideAuthenticationSpec } - - // Convert testConsoleKey Override to v1alpha1.TestConsoleKey - src.Spec.Override.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ - Header: dst.Spec.Override.AuthTypes.JWT.Header, - SendTokenToUpstream: dst.Spec.Override.AuthTypes.JWT.SendTokenToUpstream, - } - - // Convert testConsoleKey Default to v1alpha1.TestConsoleKey - src.Spec.Default.AuthTypes.TestConsoleKey = TestConsoleKeyAuth{ - Header: dst.Spec.Default.AuthTypes.JWT.Header, - SendTokenToUpstream: dst.Spec.Default.AuthTypes.JWT.SendTokenToUpstream, - } - // Status src.Status = AuthenticationStatus(dst.Status) + return nil } diff --git a/common-go-libs/apis/dp/v1alpha1/authentication_webhook.go b/common-go-libs/apis/dp/v1alpha1/authentication_webhook.go index 0eefa868f..06a34e7c5 100644 --- a/common-go-libs/apis/dp/v1alpha1/authentication_webhook.go +++ b/common-go-libs/apis/dp/v1alpha1/authentication_webhook.go @@ -18,14 +18,7 @@ package v1alpha1 import ( - constants "github.com/wso2/apk/common-go-libs/constants" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) // SetupWebhookWithManager creates a new webhook builder for Authentication @@ -34,56 +27,3 @@ func (r *Authentication) SetupWebhookWithManager(mgr ctrl.Manager) error { For(r). Complete() } - -// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! - -//+kubebuilder:webhook:path=/mutate-dp-wso2-com-v1alpha1-authentication,mutating=true,failurePolicy=fail,sideEffects=None,groups=dp.wso2.com,resources=authentications,verbs=create;update,versions=v1alpha1,name=mauthentication.kb.io,admissionReviewVersions=v1 - -var _ webhook.Defaulter = &Authentication{} - -// Default implements webhook.Defaulter so a webhook will be registered for the type -func (r *Authentication) Default() { - // TODO(user): fill in your defaulting logic. -} - -// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. -//+kubebuilder:webhook:path=/validate-dp-wso2-com-v1alpha1-authentication,mutating=false,failurePolicy=fail,sideEffects=None,groups=dp.wso2.com,resources=authentications,verbs=create;update,versions=v1alpha1,name=vauthentication.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &Authentication{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *Authentication) ValidateCreate() (admission.Warnings, error) { - // TODO(user): fill in your validation logic upon object creation. - return nil, r.ValidateAuthentication() -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *Authentication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - return nil, r.ValidateAuthentication() -} - -// ValidateAuthentication validates the Authentication -func (r *Authentication) ValidateAuthentication() error { - var allErrs field.ErrorList - - if r.Spec.TargetRef.Name == "" { - allErrs = append(allErrs, field.Required(field.NewPath("spec").Child("targetRef").Child("name"), "Name is required")) - } - if !(r.Spec.TargetRef.Kind == constants.KindAPI || r.Spec.TargetRef.Kind == constants.KindResource) { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("targetRef").Child("kind"), r.Spec.TargetRef.Kind, - "Invalid Kind is provided")) - } - - if len(allErrs) > 0 { - return apierrors.NewInvalid( - schema.GroupKind{Group: "dp.wso2.com", Kind: "Authentication"}, - r.Name, allErrs) - } - return nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *Authentication) ValidateDelete() (admission.Warnings, error) { - // TODO(user): fill in your validation logic upon object deletion. - return nil, nil -} diff --git a/common-go-libs/apis/dp/v1alpha1/tokenissuer_conversion.go b/common-go-libs/apis/dp/v1alpha1/tokenissuer_conversion.go index 2a4ee261c..ea8a99055 100644 --- a/common-go-libs/apis/dp/v1alpha1/tokenissuer_conversion.go +++ b/common-go-libs/apis/dp/v1alpha1/tokenissuer_conversion.go @@ -36,48 +36,63 @@ func (src *TokenIssuer) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.ConsumerKeyClaim = src.Spec.ConsumerKeyClaim dst.Spec.ScopesClaim = src.Spec.ScopesClaim - sig := *src.Spec.SignatureValidation - jwks := *sig.JWKS - certificate := *sig.Certificate - - jwksv2 := v1alpha2.JWKS{ - URL: jwks.URL, - TLS: &v1alpha2.CERTConfig{ - CertificateInline: jwks.TLS.CertificateInline, - SecretRef: &v1alpha2.RefConfig{ - Name: jwks.TLS.SecretRef.Name, - Key: jwks.TLS.SecretRef.Key, - }, - ConfigMapRef: &v1alpha2.RefConfig{ - Name: jwks.TLS.ConfigMapRef.Name, - Key: jwks.TLS.ConfigMapRef.Key, - }, - }, - } - - certv2 := v1alpha2.CERTConfig{ - CertificateInline: certificate.CertificateInline, - SecretRef: &v1alpha2.RefConfig{ - Name: certificate.SecretRef.Name, - Key: certificate.SecretRef.Key, - }, - ConfigMapRef: &v1alpha2.RefConfig{ - Name: certificate.ConfigMapRef.Name, - Key: certificate.ConfigMapRef.Key, - }, + if src.Spec.SignatureValidation != nil { + dstSignatureValidation := v1alpha2.SignatureValidation{} + sig := *src.Spec.SignatureValidation + if sig.JWKS != nil { + jwks := *sig.JWKS + jwksv2 := v1alpha2.JWKS{ + URL: jwks.URL, + } + if jwks.TLS != nil { + tlsConfig := v1alpha2.CERTConfig{} + if jwks.TLS.CertificateInline != nil { + tlsConfig.CertificateInline = jwks.TLS.CertificateInline + } + if jwks.TLS.SecretRef != nil { + tlsConfig.SecretRef = &v1alpha2.RefConfig{ + Name: jwks.TLS.SecretRef.Name, + Key: jwks.TLS.SecretRef.Key, + } + } + if jwks.TLS.ConfigMapRef != nil { + tlsConfig.ConfigMapRef = &v1alpha2.RefConfig{ + Name: jwks.TLS.ConfigMapRef.Name, + Key: jwks.TLS.ConfigMapRef.Key, + } + } + } + dstSignatureValidation.JWKS = &jwksv2 + } + if sig.Certificate != nil { + certificate := *sig.Certificate + certv2 := v1alpha2.CERTConfig{ + CertificateInline: certificate.CertificateInline, + } + if certificate.SecretRef != nil { + certv2.SecretRef = &v1alpha2.RefConfig{ + Name: certificate.SecretRef.Name, + Key: certificate.SecretRef.Key, + } + } + if certificate.ConfigMapRef != nil { + certv2.ConfigMapRef = &v1alpha2.RefConfig{ + Name: certificate.ConfigMapRef.Name, + Key: certificate.ConfigMapRef.Key, + } + } + dstSignatureValidation.Certificate = &certv2 + } + dst.Spec.SignatureValidation = &dstSignatureValidation } + if src.Spec.ClaimMappings != nil { - dst.Spec.SignatureValidation = &v1alpha2.SignatureValidation{ - JWKS: &jwksv2, - Certificate: &certv2, + var claimMappings []v1alpha2.ClaimMapping + for _, p := range *src.Spec.ClaimMappings { + claimMappings = append(claimMappings, v1alpha2.ClaimMapping(p)) + } + dst.Spec.ClaimMappings = &claimMappings } - - var claimMappings []v1alpha2.ClaimMapping - for _, p := range *src.Spec.ClaimMappings { - claimMappings = append(claimMappings, v1alpha2.ClaimMapping(p)) - } - dst.Spec.ClaimMappings = &claimMappings - dst.Spec.TargetRef = src.Spec.TargetRef return nil } @@ -96,49 +111,63 @@ func (src *TokenIssuer) ConvertFrom(srcRaw conversion.Hub) error { src.Spec.ConsumerKeyClaim = dst.Spec.ConsumerKeyClaim src.Spec.ScopesClaim = dst.Spec.ScopesClaim - sig := *dst.Spec.SignatureValidation - jwks := *sig.JWKS - certificate := *sig.Certificate - - jwksv1 := JWKS{ - URL: jwks.URL, - TLS: &CERTConfig{ - CertificateInline: jwks.TLS.CertificateInline, - SecretRef: &RefConfig{ - Name: jwks.TLS.SecretRef.Name, - Key: jwks.TLS.SecretRef.Key, - }, - ConfigMapRef: &RefConfig{ - Name: jwks.TLS.ConfigMapRef.Name, - Key: jwks.TLS.ConfigMapRef.Key, - }, - }, + if dst.Spec.SignatureValidation != nil { + dstSignatureValidation := SignatureValidation{} + sig := *dst.Spec.SignatureValidation + if sig.JWKS != nil { + jwks := *sig.JWKS + jwksv1 := JWKS{ + URL: jwks.URL, + } + if jwks.TLS != nil { + tlsConfig := CERTConfig{} + if jwks.TLS.CertificateInline != nil { + tlsConfig.CertificateInline = jwks.TLS.CertificateInline + } + if jwks.TLS.SecretRef != nil { + tlsConfig.SecretRef = &RefConfig{ + Name: jwks.TLS.SecretRef.Name, + Key: jwks.TLS.SecretRef.Key, + } + } + if jwks.TLS.ConfigMapRef != nil { + tlsConfig.ConfigMapRef = &RefConfig{ + Name: jwks.TLS.ConfigMapRef.Name, + Key: jwks.TLS.ConfigMapRef.Key, + } + } + } + dstSignatureValidation.JWKS = &jwksv1 + } + if sig.Certificate != nil { + certificate := *sig.Certificate + certv1 := CERTConfig{ + CertificateInline: certificate.CertificateInline, + } + if certificate.SecretRef != nil { + certv1.SecretRef = &RefConfig{ + Name: certificate.SecretRef.Name, + Key: certificate.SecretRef.Key, + } + } + if certificate.ConfigMapRef != nil { + certv1.ConfigMapRef = &RefConfig{ + Name: certificate.ConfigMapRef.Name, + Key: certificate.ConfigMapRef.Key, + } + } + dstSignatureValidation.Certificate = &certv1 + } + src.Spec.SignatureValidation = &dstSignatureValidation } + if dst.Spec.ClaimMappings != nil { - certv1 := CERTConfig{ - CertificateInline: certificate.CertificateInline, - SecretRef: &RefConfig{ - Name: certificate.SecretRef.Name, - Key: certificate.SecretRef.Key, - }, - ConfigMapRef: &RefConfig{ - Name: certificate.ConfigMapRef.Name, - Key: certificate.ConfigMapRef.Key, - }, + var claimMappings []ClaimMapping + for _, p := range *dst.Spec.ClaimMappings { + claimMappings = append(claimMappings, ClaimMapping(p)) + } + src.Spec.ClaimMappings = &claimMappings } - - src.Spec.SignatureValidation = &SignatureValidation{ - JWKS: &jwksv1, - Certificate: &certv1, - } - - var claimMappings []ClaimMapping - for _, p := range *dst.Spec.ClaimMappings { - claimMappings = append(claimMappings, ClaimMapping(p)) - } - src.Spec.ClaimMappings = &claimMappings - src.Spec.TargetRef = dst.Spec.TargetRef - return nil } diff --git a/common-go-libs/apis/dp/v1alpha2/apipolicy_conversion.go b/common-go-libs/apis/dp/v1alpha2/apipolicy_conversion.go new file mode 100644 index 000000000..57c90b375 --- /dev/null +++ b/common-go-libs/apis/dp/v1alpha2/apipolicy_conversion.go @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package v1alpha2 + +// Hub marks this type as a conversion hub. +func (*APIPolicy) Hub() {} + +// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! diff --git a/helm-charts/crds/dp.wso2.com_apipolicies.yaml b/helm-charts/templates/crds/dp.wso2.com_apipolicies.yaml similarity index 97% rename from helm-charts/crds/dp.wso2.com_apipolicies.yaml rename to helm-charts/templates/crds/dp.wso2.com_apipolicies.yaml index 5465823df..df7a7090d 100644 --- a/helm-charts/crds/dp.wso2.com_apipolicies.yaml +++ b/helm-charts/templates/crds/dp.wso2.com_apipolicies.yaml @@ -4,8 +4,21 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "apk-helm.resource.prefix" . }}-common-controller-server-cert name: apipolicies.dp.wso2.com spec: + {{- if .Values.wso2.apk.webhooks.conversionwebhookconfigurations }} + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ template "apk-helm.resource.prefix" . }}-common-controller-service + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 + {{- end }} group: dp.wso2.com names: kind: APIPolicy diff --git a/helm-charts/crds/dp.wso2.com_authentications.yaml b/helm-charts/templates/crds/dp.wso2.com_authentications.yaml similarity index 98% rename from helm-charts/crds/dp.wso2.com_authentications.yaml rename to helm-charts/templates/crds/dp.wso2.com_authentications.yaml index 784a583d6..3fe87f259 100644 --- a/helm-charts/crds/dp.wso2.com_authentications.yaml +++ b/helm-charts/templates/crds/dp.wso2.com_authentications.yaml @@ -4,8 +4,21 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "apk-helm.resource.prefix" . }}-common-controller-server-cert name: authentications.dp.wso2.com spec: + {{- if .Values.wso2.apk.webhooks.conversionwebhookconfigurations }} + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ template "apk-helm.resource.prefix" . }}-common-controller-service + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 + {{- end }} group: dp.wso2.com names: kind: Authentication diff --git a/helm-charts/crds/dp.wso2.com_tokenissuers.yaml b/helm-charts/templates/crds/dp.wso2.com_tokenissuers.yaml similarity index 97% rename from helm-charts/crds/dp.wso2.com_tokenissuers.yaml rename to helm-charts/templates/crds/dp.wso2.com_tokenissuers.yaml index df170450a..cc235dc29 100644 --- a/helm-charts/crds/dp.wso2.com_tokenissuers.yaml +++ b/helm-charts/templates/crds/dp.wso2.com_tokenissuers.yaml @@ -4,9 +4,22 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.2 + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "apk-helm.resource.prefix" . }}-common-controller-server-cert creationTimestamp: null name: tokenissuers.dp.wso2.com spec: + {{- if .Values.wso2.apk.webhooks.conversionwebhookconfigurations }} + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ template "apk-helm.resource.prefix" . }}-common-controller-service + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1 + {{- end }} group: dp.wso2.com names: kind: TokenIssuer diff --git a/helm-charts/templates/data-plane/config-deployer/config-api-apipolicy.yaml b/helm-charts/templates/data-plane/config-deployer/config-api-apipolicy.yaml index e6c820084..16cef2323 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-api-apipolicy.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-api-apipolicy.yaml @@ -4,6 +4,8 @@ kind: APIPolicy metadata: name: "{{ template "apk-helm.resource.prefix" . }}-config-api-api-policy" namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: backendJwtPolicy: diff --git a/helm-charts/templates/data-plane/config-deployer/config-api-route.yaml b/helm-charts/templates/data-plane/config-deployer/config-api-route.yaml index edbec0149..46bf97433 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-api-route.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-api-route.yaml @@ -21,6 +21,8 @@ metadata: namespace: {{ .Release.Namespace }} labels: managed-by: "apk" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: hostnames: - "{{ .Values.wso2.apk.listener.hostname | default "api.am.wso2.com"}}" diff --git a/helm-charts/templates/data-plane/config-deployer/config-deploy-api-create-scope.yaml b/helm-charts/templates/data-plane/config-deployer/config-deploy-api-create-scope.yaml index 670af7a7d..1dd8b4f8f 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-deploy-api-create-scope.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-deploy-api-create-scope.yaml @@ -22,6 +22,8 @@ metadata: managed-by: "apk" name: {{ template "apk-helm.resource.prefix" . }}-api-create-scope namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: names: - apk:api_create diff --git a/helm-charts/templates/data-plane/config-deployer/config-deployer-api-backendjwt.yaml b/helm-charts/templates/data-plane/config-deployer/config-deployer-api-backendjwt.yaml index 26bc6b5a0..c5d02b812 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-deployer-api-backendjwt.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-deployer-api-backendjwt.yaml @@ -6,6 +6,8 @@ metadata: namespace: {{ .Release.Namespace }} labels: managed-by: "apk" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: header: "X-JWT-Assertion" encoding: "Base64" diff --git a/helm-charts/templates/data-plane/config-deployer/config-deployer-domain-api-backend.yaml b/helm-charts/templates/data-plane/config-deployer/config-deployer-domain-api-backend.yaml index ed346c728..1cd24a450 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-deployer-domain-api-backend.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-deployer-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-config-deployer-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: "/api/deployer" services: diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml index 30d074d21..0be2ba732 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml @@ -22,10 +22,12 @@ metadata: namespace: {{ .Release.Namespace }} data: Config.toml: | + {{- if .Values.wso2.apk.dp.configdeployer.debug}} [ballerina.log] - level = "INFO" + level = "DEBUG" [ballerina.http] - traceLogConsole = false + traceLogConsole = true + {{end}} {{if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled}} [ballerina.observe] metricsEnabled = true diff --git a/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml b/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml index cfa9781f7..c78bba486 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-config-generator-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: "/api/configurator" services: diff --git a/helm-charts/templates/data-plane/config-deployer/configurator-api-no-authentication-policy.yaml b/helm-charts/templates/data-plane/config-deployer/configurator-api-no-authentication-policy.yaml index b57095414..e124d817a 100644 --- a/helm-charts/templates/data-plane/config-deployer/configurator-api-no-authentication-policy.yaml +++ b/helm-charts/templates/data-plane/config-deployer/configurator-api-no-authentication-policy.yaml @@ -14,13 +14,15 @@ # specific language governing permissions and limitations # under the License. {{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.configdeployer.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: "{{ template "apk-helm.resource.prefix" . }}-configurator-api-no-authentication-policy" namespace: {{ .Release.Namespace }} labels: managed-by: "apk" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-deployer-api.yaml b/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-deployer-api.yaml index 3b6f7ca19..63185b014 100644 --- a/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-deployer-api.yaml +++ b/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-deployer-api.yaml @@ -22,7 +22,7 @@ metadata: labels: managed-by: "apk" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "WSO2 APK Config Deployer API" apiType: "REST" diff --git a/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-generator-api.yaml b/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-generator-api.yaml index 1fa57f7b8..708e3f87f 100644 --- a/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-generator-api.yaml +++ b/helm-charts/templates/data-plane/config-deployer/wso2-apk-config-generator-api.yaml @@ -22,7 +22,7 @@ metadata: labels: managed-by: "apk" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "WSO2 APK Config Generator API" apiType: "REST" diff --git a/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-mutating-webhook-config.yaml b/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-mutating-webhook-config.yaml index 2effd8c34..6cdd00e77 100644 --- a/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-mutating-webhook-config.yaml +++ b/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-mutating-webhook-config.yaml @@ -22,7 +22,7 @@ metadata: namespace : {{ .Release.Namespace }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "apk-helm.resource.prefix" . }}-webhook-server-cert - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "1" webhooks: - admissionReviewVersions: diff --git a/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-validation-webhook-config.yaml b/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-validation-webhook-config.yaml index 249b99d40..e29b5a8a4 100644 --- a/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-validation-webhook-config.yaml +++ b/helm-charts/templates/data-plane/gateway-components/common-controller/webhook/adapter-validation-webhook-config.yaml @@ -22,7 +22,7 @@ metadata: namespace : {{ .Release.Namespace }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "apk-helm.resource.prefix" . }}-webhook-server-cert - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "1" webhooks: - admissionReviewVersions: diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/default-jwt-issuer.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/default-jwt-issuer.yaml index ac84089f5..04c7d1f4d 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/default-jwt-issuer.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/default-jwt-issuer.yaml @@ -1,9 +1,11 @@ {{- if .Values.wso2.apk.dp.enabled }} kind: TokenIssuer -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 metadata: name: {{ template "apk-helm.resource.prefix" . }}-default-jwt-issuer namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: name: "default-jwt-issuer" consumerKeyClaim: {{ .Values.wso2.apk.idp.consumerKeyClaim | default "azp" }} diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/idp-jwt-issuer.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/idp-jwt-issuer.yaml index 6cf9cbce1..0bbf70fa6 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/idp-jwt-issuer.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/idp-jwt-issuer.yaml @@ -1,9 +1,11 @@ {{- if .Values.wso2.apk.dp.enabled }} kind: TokenIssuer -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 metadata: name: {{ template "apk-helm.resource.prefix" . }}-idp-jwt-issuer namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: name: "Domain-service-idp" consumerKeyClaim: {{ .Values.wso2.apk.idp.consumerKeyClaim | default "azp" }} diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api--authentication.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api--authentication.yaml index bf952473c..a060f492c 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api--authentication.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api--authentication.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. {{- if .Values.idp.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: {{ template "apk-helm.resource.prefix" . }}-jwks-endpoint-ds-authentication @@ -22,6 +22,8 @@ metadata: labels: api-name: "jwks-endpoint" api-version: "1.0.0" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml index 2263fa91b..0fa07ae31 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-jwks-endpoint-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: /jwks services: diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api.yaml index d5d5478d4..5da3d8295 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api.yaml @@ -23,7 +23,7 @@ metadata: api-name: "jwks-endpoint" api-version: "1.0.0" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "jwks-domain-service" apiType: "REST" diff --git a/helm-charts/templates/idp/authenticationEndpoint-domain-api--authentication.yaml b/helm-charts/templates/idp/authenticationEndpoint-domain-api--authentication.yaml index 7fb577675..1ac478862 100644 --- a/helm-charts/templates/idp/authenticationEndpoint-domain-api--authentication.yaml +++ b/helm-charts/templates/idp/authenticationEndpoint-domain-api--authentication.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. {{- if .Values.idp.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: {{ template "apk-helm.resource.prefix" . }}-authentication-endpoint-ds-authentication @@ -22,6 +22,8 @@ metadata: labels: api-name: "idp-domain-service" api-version: "1.0.0" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml b/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml index 38869d5cc..4ace790f6 100644 --- a/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml +++ b/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-authentication-endpoint-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: /commonoauth services: diff --git a/helm-charts/templates/idp/authenticationEndpoint-domain-api.yaml b/helm-charts/templates/idp/authenticationEndpoint-domain-api.yaml index 07cc69e49..0929f1658 100644 --- a/helm-charts/templates/idp/authenticationEndpoint-domain-api.yaml +++ b/helm-charts/templates/idp/authenticationEndpoint-domain-api.yaml @@ -23,7 +23,7 @@ metadata: api-name: "idp-domain-service" api-version: "1.0.0" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "authenticationEndpoint-domain-service" apiType: "REST" diff --git a/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml b/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml index 66dd6e704..0e3576f86 100644 --- a/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml +++ b/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-commonoauth-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: /commonoauth services: diff --git a/helm-charts/templates/idp/commonoauth-domain-api-no-authentication.yaml b/helm-charts/templates/idp/commonoauth-domain-api-no-authentication.yaml index a02a87e20..7acfb6e3a 100644 --- a/helm-charts/templates/idp/commonoauth-domain-api-no-authentication.yaml +++ b/helm-charts/templates/idp/commonoauth-domain-api-no-authentication.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. {{- if .Values.idp.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: {{ template "apk-helm.resource.prefix" . }}-commonoauth-ds-authentication @@ -22,6 +22,8 @@ metadata: labels: api-name: "idp-domain-service" api-version: "1.0.0" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/idp/commonoauth-domain-api.yaml b/helm-charts/templates/idp/commonoauth-domain-api.yaml index 3b6c02eb5..a538daa85 100644 --- a/helm-charts/templates/idp/commonoauth-domain-api.yaml +++ b/helm-charts/templates/idp/commonoauth-domain-api.yaml @@ -23,7 +23,7 @@ metadata: api-name: "idp-domain-service" api-version: "1.0.0" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "commonoauth-api" apiType: "REST" diff --git a/helm-charts/templates/idp/dcr-domain-api-backend.yaml b/helm-charts/templates/idp/dcr-domain-api-backend.yaml index a8af5d930..cb21604ff 100644 --- a/helm-charts/templates/idp/dcr-domain-api-backend.yaml +++ b/helm-charts/templates/idp/dcr-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-dcr-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: /dcr services: diff --git a/helm-charts/templates/idp/dcr-domain-api-no-authentication.yaml b/helm-charts/templates/idp/dcr-domain-api-no-authentication.yaml index 77b98dc3b..d09bd62b9 100644 --- a/helm-charts/templates/idp/dcr-domain-api-no-authentication.yaml +++ b/helm-charts/templates/idp/dcr-domain-api-no-authentication.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. {{- if .Values.idp.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: {{ template "apk-helm.resource.prefix" . }}-dcr-ds-authentication @@ -22,6 +22,8 @@ metadata: labels: api-name: "idp-domain-service" api-version: "1.0.0" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/idp/dcr-domain-api.yaml b/helm-charts/templates/idp/dcr-domain-api.yaml index 115cf8fc2..fba48631a 100644 --- a/helm-charts/templates/idp/dcr-domain-api.yaml +++ b/helm-charts/templates/idp/dcr-domain-api.yaml @@ -23,7 +23,7 @@ metadata: api-name: "idp-domain-service" api-version: "1.0.0" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "dcr-api" apiType: "REST" diff --git a/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml b/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml index 3b4b88029..6667596eb 100644 --- a/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml +++ b/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-idp-ui-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: services: - host: {{ template "apk-helm.resource.prefix" . }}-idp-ui-service.{{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/oauth-domain-api-backend.yaml b/helm-charts/templates/idp/oauth-domain-api-backend.yaml index 315ea4cac..06078af08 100644 --- a/helm-charts/templates/idp/oauth-domain-api-backend.yaml +++ b/helm-charts/templates/idp/oauth-domain-api-backend.yaml @@ -19,6 +19,8 @@ apiVersion: "dp.wso2.com/v1alpha1" metadata: name: {{ template "apk-helm.resource.prefix" . }}-oauth-ds-backend namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade spec: basePath: /oauth2 services: diff --git a/helm-charts/templates/idp/oauth-domain-api-no-authentication.yaml b/helm-charts/templates/idp/oauth-domain-api-no-authentication.yaml index b59d65119..c5d990048 100644 --- a/helm-charts/templates/idp/oauth-domain-api-no-authentication.yaml +++ b/helm-charts/templates/idp/oauth-domain-api-no-authentication.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. {{- if .Values.idp.enabled }} -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" kind: "Authentication" metadata: name: {{ template "apk-helm.resource.prefix" . }}-oauth-ds-authentication @@ -22,6 +22,8 @@ metadata: labels: api-name: "idp-domain-service" api-version: "1.0.0" + annotations: + "helm.sh/hook": post-install,post-upgrade spec: override: disabled: true diff --git a/helm-charts/templates/idp/oauth-domain-api.yaml b/helm-charts/templates/idp/oauth-domain-api.yaml index 7b4ec70b0..a4c4214e1 100644 --- a/helm-charts/templates/idp/oauth-domain-api.yaml +++ b/helm-charts/templates/idp/oauth-domain-api.yaml @@ -23,7 +23,7 @@ metadata: api-name: "idp-domain-service" api-version: "1.0.0" annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade spec: apiName: "oauth-api" apiType: "REST" diff --git a/helm-charts/values.yaml b/helm-charts/values.yaml index 0d60d7ff6..dba5ceb00 100644 --- a/helm-charts/values.yaml +++ b/helm-charts/values.yaml @@ -95,6 +95,7 @@ wso2: replicas: 1 imagePullPolicy: Always image: wso2/apk-config-deployer-service:1.1.0-rc + # debug: true # configs: # tls: # secretName: "my-secret" diff --git a/runtime/config-deployer-service/ballerina/APIClient.bal b/runtime/config-deployer-service/ballerina/APIClient.bal index 72096f208..5fcdd78ee 100644 --- a/runtime/config-deployer-service/ballerina/APIClient.bal +++ b/runtime/config-deployer-service/ballerina/APIClient.bal @@ -1,3 +1,11 @@ +import config_deployer_service.java.io as javaio; +import config_deployer_service.model; +import config_deployer_service.org.wso2.apk.config as runtimeUtil; +import config_deployer_service.org.wso2.apk.config.api as runtimeapi; +import config_deployer_service.org.wso2.apk.config.model as runtimeModels; + +import ballerina/crypto; +import ballerina/lang.value; // // Copyright (c) 2022, WSO2 LLC. (http://www.wso2.com). // @@ -15,21 +23,15 @@ // specific language governing permissions and limitations // under the License. // - import ballerina/log; -import config_deployer_service.model; -import config_deployer_service.org.wso2.apk.config.model as runtimeModels; import ballerina/regex; -import config_deployer_service.org.wso2.apk.config as runtimeUtil; -import ballerina/lang.value; -import config_deployer_service.org.wso2.apk.config.api as runtimeapi; import ballerina/uuid; -import ballerina/crypto; -import config_deployer_service.java.io as javaio; -import wso2/apk_common_lib as commons; import ballerinax/prometheus as _; + +import wso2/apk_common_lib as commons; + public class APIClient { - + # This function used to convert APKInternalAPI model to APKConf. # # + api - APKInternalAPI model @@ -1233,7 +1235,7 @@ public class APIClient { BackendJWTPolicy_parameters parameters = backendJWTPolicy.parameters ?: {}; model:BackendJWT backendJwt = { metadata: { - name: self.getBackendJWTPolicyUid(apkConf, operation, organization), + name: self.getBackendJWTPolicyUid(apkConf, operation, organization), labels: self.getLabels(apkConf, organization) }, spec: {} @@ -1266,6 +1268,9 @@ public class APIClient { private isolated function retrieveCORSPolicyDetails(model:APIArtifact apiArtifact, APKConf apkConf, CORSConfiguration corsConfiguration, commons:Organization organization) returns model:CORSPolicy? { model:CORSPolicy corsPolicy = {}; + if corsConfiguration.corsConfigurationEnabled is boolean { + corsPolicy.enabled = corsConfiguration.corsConfigurationEnabled; + } if corsConfiguration.accessControlAllowCredentials is boolean { corsPolicy.accessControlAllowCredentials = corsConfiguration.accessControlAllowCredentials; } @@ -1494,7 +1499,7 @@ public class APIClient { } return string:'join("-", concatanatedString, "-resource-backend-jwt-policy"); } else { - return string:'join("-", concatanatedString, "-api-backend-jwt-policy"); + return string:'join("-", concatanatedString, "-api-backend-jwt-policy"); } } @@ -1562,7 +1567,7 @@ public class APIClient { string operationTargetHash = crypto:hashSha1(hexBytes).toBase16(); concatanatedString = concatanatedString + "-" + operationTargetHash; } - return "resource-" + concatanatedString + "-" + targetRef; + return "resource-" + concatanatedString + "-" + targetRef; } else { return "api-" + concatanatedString + "-" + targetRef; } diff --git a/runtime/config-deployer-service/ballerina/Dependencies.toml b/runtime/config-deployer-service/ballerina/Dependencies.toml index cb855bd71..887c6727f 100644 --- a/runtime/config-deployer-service/ballerina/Dependencies.toml +++ b/runtime/config-deployer-service/ballerina/Dependencies.toml @@ -5,7 +5,7 @@ [ballerina] dependencies-toml-version = "2" -distribution-version = "2201.8.5" +distribution-version = "2201.8.6" [[package]] org = "ballerina" diff --git a/runtime/config-deployer-service/ballerina/modules/model/APIPolicy.bal b/runtime/config-deployer-service/ballerina/modules/model/APIPolicy.bal index 12079222b..8c380d105 100644 --- a/runtime/config-deployer-service/ballerina/modules/model/APIPolicy.bal +++ b/runtime/config-deployer-service/ballerina/modules/model/APIPolicy.bal @@ -44,8 +44,6 @@ public type BackendJwtReference record { string name?; }; - - public type APIPolicyList record { string apiVersion = "dp.wso2.com/v1alpha2"; string kind = "APIPolicyList"; @@ -54,6 +52,7 @@ public type APIPolicyList record { }; public type CORSPolicy record { + boolean enabled = true; boolean accessControlAllowCredentials = false; string[] accessControlAllowOrigins = []; string[] accessControlAllowHeaders = []; diff --git a/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml b/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml index 723a75380..baf1c0ac8 100644 --- a/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml +++ b/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml @@ -217,7 +217,6 @@ components: properties: corsConfigurationEnabled: type: boolean - default: false accessControlAllowOrigins: type: array items: diff --git a/runtime/config-deployer-service/ballerina/types.bal b/runtime/config-deployer-service/ballerina/types.bal index 66d04272f..b68f2f2ee 100644 --- a/runtime/config-deployer-service/ballerina/types.bal +++ b/runtime/config-deployer-service/ballerina/types.bal @@ -174,13 +174,15 @@ public type DefinitionBody record { # CORS Configuration of API # +# + corsConfigurationEnabled - field description # + accessControlAllowOrigins - Field Description # + accessControlAllowCredentials - Field Description # + accessControlAllowHeaders - Field Description # + accessControlAllowMethods - Field Description +# + accessControlAllowMaxAge - Field Description # + accessControlExposeHeaders - Field Description -# + accessControlAllowMaxAge - Field Description public type CORSConfiguration record { + boolean corsConfigurationEnabled = false; string[] accessControlAllowOrigins?; boolean accessControlAllowCredentials?; string[] accessControlAllowHeaders?; diff --git a/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml b/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml index 6c71a76c2..9832ffc2a 100644 --- a/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml @@ -139,4 +139,17 @@ spec: services: - host: infra-backend-v1.gateway-integration-test-infra port: 8080 - \ No newline at end of file +--- +apiVersion: dp.wso2.com/v1alpha2 +kind: APIPolicy +metadata: + name: no-cors-policy + namespace: gateway-integration-test-infra +spec: + override: + cORSPolicy: + enabled: false + targetRef: + group: gateway.networking.k8s.io + kind: API + name: no-cors-policy-api \ No newline at end of file