From 9bba4c98bda474dd5bfa35d65be77b51a3e41e4b Mon Sep 17 00:00:00 2001 From: CrowleyRajapakse Date: Mon, 26 Aug 2024 15:41:54 +0530 Subject: [PATCH] adding Backend API Key security --- .../envoyconf/routes_with_clusters_test.go | 50 +- .../oasparser/model/adapter_internal_api.go | 28 +- .../internal/oasparser/model/http_route.go | 8 +- .../operator/controllers/dp/api_controller.go | 29 +- .../controllers/dp/gateway_controller.go | 4 +- .../operator/synchronizer/api_state.go | 4 +- .../operator/synchronizer/gateway_state.go | 2 +- .../synchronizer/gateway_synchronizer.go | 8 +- .../synchronizer/zz_generated.deepcopy.go | 18 +- adapter/internal/operator/utils/utils.go | 58 +- adapter/pkg/eventhub/types/types.go | 4 +- .../apis/dp/v1alpha2/backend_types.go | 301 +++++++ .../apis/dp/v1alpha2/resolvedbackend.go | 58 ++ .../apis/dp/v1alpha2/zz_generated.deepcopy.go | 436 ++++++++++ .../crd/bases/dp.wso2.com_backends.yaml | 284 +++++++ .../wso2/apk/enforcer/util/EndpointUtils.java | 16 + helm-charts/crds/dp.wso2.com_backends.yaml | 745 ++++++++++++------ .../config-generator-domain-api-backend.yaml | 2 +- .../api/notification-api.yaml | 2 +- .../jwks-domain-api-backend.yaml | 2 +- ...enticationEndpoint-domain-api-backend.yaml | 2 +- .../idp/commonoauth-domain-api-backend.yaml | 2 +- .../templates/idp/dcr-domain-api-backend.yaml | 2 +- .../templates/idp/idp-ui/idp-ui-backend.yaml | 2 +- .../idp/oauth-domain-api-backend.yaml | 2 +- .../cucumber-tests/CRs/artifacts.yaml | 2 +- test/cucumber-tests/CRs/agent-artifacts.yaml | 2 +- test/cucumber-tests/CRs/artifacts.yaml | 2 +- .../tests/backend-api-key-security.go | 73 ++ .../tests/all-http-methods-for-wildcard.yaml | 2 +- .../tests/api-different-listener.yaml | 2 +- .../tests/api-policy-with-jwt-generator.yaml | 2 +- .../tests/api-with-backend-base-path.yaml | 2 +- .../resources/tests/api-with-cors-policy.yaml | 2 +- .../tests/api-with-operational-policy.yaml | 2 +- .../resources/tests/api-with-path-params.yaml | 2 +- .../tests/api-with-request-header-modify.yaml | 2 +- .../api-with-response-header-modify.yaml | 2 +- .../tests/api-without-backend-base-path.yaml | 2 +- .../tests/backend-api-key-security.yaml | 89 +++ .../resources/tests/custom-auth-header.yaml | 2 +- .../tests/custom-policy-ratelimiting.yaml | 2 +- .../tests/default-api-version-ratelimit.yaml | 2 +- .../resources/tests/default-api-version.yaml | 2 +- .../different-endpoint-with-same-route.yaml | 4 +- .../tests/disable-api-level-jwt.yaml | 2 +- .../tests/disable-api-level-security.yaml | 2 +- .../tests/disable-resource-level-jwt.yaml | 2 +- .../disable-resource-level-security.yaml | 2 +- .../resources/tests/fetch-api-definition.yaml | 2 +- .../fetch-non-existing-api-definition.yaml | 2 +- .../tests/resources/tests/gql-api.yaml | 2 +- .../tests/jwt-api-level-security.yaml | 2 +- .../tests/multiple_port_listener.yaml | 2 +- .../resources/tests/prod-and-sand-apis.yaml | 4 +- .../resources/tests/ratelimit-priority.yaml | 2 +- .../resources/tests/resource-scopes.yaml | 2 +- .../tests/resources/tests/trailing-slash.yaml | 2 +- .../resources/tests/verify-old-apis.yaml | 2 +- test/integration/scripts/run-tests.sh | 1 + test/integration/scripts/setup-hosts.sh | 1 + test/k8s-resources/gw-interceptor.yaml | 2 +- 62 files changed, 1948 insertions(+), 355 deletions(-) create mode 100644 common-go-libs/apis/dp/v1alpha2/backend_types.go create mode 100644 common-go-libs/apis/dp/v1alpha2/resolvedbackend.go create mode 100644 test/integration/integration/tests/backend-api-key-security.go create mode 100644 test/integration/integration/tests/resources/tests/backend-api-key-security.yaml diff --git a/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go b/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go index eee142e34..f914c68b8 100644 --- a/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go +++ b/adapter/internal/oasparser/envoyconf/routes_with_clusters_test.go @@ -123,11 +123,11 @@ func TestCreateRoutesWithClustersWithExactAndRegularExpressionRules(t *testing.T xds.SanitizeGateway("default-gateway", true) httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: "backend-1"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "test-service-1.default", Port: 7001}}, Protocol: v1alpha1.HTTPProtocol} + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "test-service-1.default", Port: 7001}}, Protocol: v1alpha2.HTTPProtocol} backendMapping[k8types.NamespacedName{Namespace: "default", Name: "backend-2"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "test-service-2.default", Port: 7002}}, Protocol: v1alpha1.HTTPProtocol} + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "test-service-2.default", Port: 7002}}, Protocol: v1alpha2.HTTPProtocol} httpRouteState.BackendMapping = backendMapping apiState.ProdHTTPRoute = &httpRouteState @@ -261,9 +261,9 @@ func generateSampleAPI(apiName string, apiVersion string, basePath string) synch httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: apiName + "backend-1"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "test-service-1.default", Port: 7001}}, Protocol: v1alpha1.HTTPProtocol} + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "test-service-1.default", Port: 7001}}, Protocol: v1alpha2.HTTPProtocol} httpRouteState.BackendMapping = backendMapping apiState.ProdHTTPRoute = &httpRouteState @@ -335,17 +335,17 @@ func TestCreateRoutesWithClustersWithMultiplePathPrefixRules(t *testing.T) { httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: "order-backend"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{ {Host: "order-service.default", Port: 80}, {Host: "order-service-2.default", Port: 8080}}, - Protocol: v1alpha1.HTTPProtocol} + Protocol: v1alpha2.HTTPProtocol} backendMapping[k8types.NamespacedName{Namespace: "default", Name: "user-backend"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{ {Host: "user-service.default", Port: 8081}, {Host: "user-service-2.default", Port: 8081}}, - Protocol: v1alpha1.HTTPProtocol} + Protocol: v1alpha2.HTTPProtocol} httpRouteState.BackendMapping = backendMapping apiState.ProdHTTPRoute = &httpRouteState @@ -473,11 +473,11 @@ func TestCreateRoutesWithClustersWithBackendTLSConfigs(t *testing.T) { httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: "test-backend-3"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "webhook.site", Port: 443}}, - Protocol: v1alpha1.HTTPSProtocol, - TLS: v1alpha1.ResolvedTLSConfig{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "webhook.site", Port: 443}}, + Protocol: v1alpha2.HTTPSProtocol, + TLS: v1alpha2.ResolvedTLSConfig{ ResolvedCertificate: `-----BEGIN CERTIFICATE-----test-cert-data-----END CERTIFICATE-----`, }} httpRouteState.BackendMapping = backendMapping @@ -610,17 +610,17 @@ func TestCreateRoutesWithClustersDifferentBackendRefs(t *testing.T) { httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: "test-backend-1"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "webhook.site.1", Port: 443}}, - Protocol: v1alpha1.HTTPSProtocol, - TLS: v1alpha1.ResolvedTLSConfig{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "webhook.site.1", Port: 443}}, + Protocol: v1alpha2.HTTPSProtocol, + TLS: v1alpha2.ResolvedTLSConfig{ ResolvedCertificate: `-----BEGIN CERTIFICATE-----test-cert-data-----END CERTIFICATE-----`, }} backendMapping[k8types.NamespacedName{Namespace: "default", Name: "test-backend-2"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "webhook.site.2", Port: 443}}, - Protocol: v1alpha1.HTTPSProtocol, - TLS: v1alpha1.ResolvedTLSConfig{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "webhook.site.2", Port: 443}}, + Protocol: v1alpha2.HTTPSProtocol, + TLS: v1alpha2.ResolvedTLSConfig{ ResolvedCertificate: `-----BEGIN CERTIFICATE-----test-cert-data-----END CERTIFICATE-----`, }} httpRouteState.BackendMapping = backendMapping @@ -702,11 +702,11 @@ func TestCreateRoutesWithClustersSameBackendRefs(t *testing.T) { httpRouteState.HTTPRouteCombined = &httpRoute - backendMapping := make(map[string]*v1alpha1.ResolvedBackend) + backendMapping := make(map[string]*v1alpha2.ResolvedBackend) backendMapping[k8types.NamespacedName{Namespace: "default", Name: "test-backend-1"}.String()] = - &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: "webhook.site", Port: 443}}, - Protocol: v1alpha1.HTTPSProtocol, - TLS: v1alpha1.ResolvedTLSConfig{ + &v1alpha2.ResolvedBackend{Services: []v1alpha2.Service{{Host: "webhook.site", Port: 443}}, + Protocol: v1alpha2.HTTPSProtocol, + TLS: v1alpha2.ResolvedTLSConfig{ ResolvedCertificate: `-----BEGIN CERTIFICATE-----test-cert-data-----END CERTIFICATE-----`, }} httpRouteState.BackendMapping = backendMapping diff --git a/adapter/internal/oasparser/model/adapter_internal_api.go b/adapter/internal/oasparser/model/adapter_internal_api.go index 0487432fd..3d7e4b838 100644 --- a/adapter/internal/oasparser/model/adapter_internal_api.go +++ b/adapter/internal/oasparser/model/adapter_internal_api.go @@ -471,8 +471,8 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap for _, rule := range httpRoute.Spec.Rules { var endPoints []Endpoint var policies = OperationPolicies{} - var circuitBreaker *dpv1alpha1.CircuitBreaker - var healthCheck *dpv1alpha1.HealthCheck + var circuitBreaker *dpv1alpha2.CircuitBreaker + var healthCheck *dpv1alpha2.HealthCheck resourceAuthScheme := authScheme resourceAPIPolicy := apiPolicy resourceRatelimitPolicy := ratelimitPolicy @@ -499,7 +499,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap resolvedBackend, ok := resourceParams.BackendMapping[backendName.String()] if ok { if resolvedBackend.CircuitBreaker != nil { - circuitBreaker = &dpv1alpha1.CircuitBreaker{ + circuitBreaker = &dpv1alpha2.CircuitBreaker{ MaxConnections: resolvedBackend.CircuitBreaker.MaxConnections, MaxPendingRequests: resolvedBackend.CircuitBreaker.MaxPendingRequests, MaxRequests: resolvedBackend.CircuitBreaker.MaxRequests, @@ -522,7 +522,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap } } if resolvedBackend.HealthCheck != nil { - healthCheck = &dpv1alpha1.HealthCheck{ + healthCheck = &dpv1alpha2.HealthCheck{ Interval: resolvedBackend.HealthCheck.Interval, Timeout: resolvedBackend.HealthCheck.Timeout, UnhealthyThreshold: resolvedBackend.HealthCheck.UnhealthyThreshold, @@ -539,6 +539,16 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap Type: string(resolvedBackend.Security.Type), Enabled: true, }) + case "APIKey": + securityConfig = append(securityConfig, EndpointSecurity{ + Type: string(resolvedBackend.Security.Type), + Enabled: true, + CustomParameters: map[string]string{ + "in": string(resolvedBackend.Security.APIKey.In), + "key": string(resolvedBackend.Security.APIKey.Name), + "value": string(resolvedBackend.Security.APIKey.Value), + }, + }) } } else { return fmt.Errorf("backend: %s has not been resolved", backendName) @@ -996,6 +1006,16 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoGQLRouteCR(gqlRoute *dpv1al Type: string(resolvedBackend.Security.Type), Enabled: true, }) + case "APIKey": + securityConfig = append(securityConfig, EndpointSecurity{ + Type: string(resolvedBackend.Security.Type), + Enabled: true, + CustomParameters: map[string]string{ + "in": string(resolvedBackend.Security.APIKey.In), + "key": string(resolvedBackend.Security.APIKey.Name), + "value": string(resolvedBackend.Security.APIKey.Value), + }, + }) } adapterInternalAPI.EndpointSecurity = utils.GetPtrSlice(securityConfig) } else { diff --git a/adapter/internal/oasparser/model/http_route.go b/adapter/internal/oasparser/model/http_route.go index ec77c2155..96c6293d8 100644 --- a/adapter/internal/oasparser/model/http_route.go +++ b/adapter/internal/oasparser/model/http_route.go @@ -36,7 +36,7 @@ type ResourceParams struct { ResourceAPIPolicies map[string]dpv1alpha2.APIPolicy InterceptorServiceMapping map[string]dpv1alpha1.InterceptorService BackendJWTMapping map[string]dpv1alpha1.BackendJWT - BackendMapping map[string]*dpv1alpha1.ResolvedBackend + BackendMapping map[string]*dpv1alpha2.ResolvedBackend ResourceScopes map[string]dpv1alpha1.Scope RateLimitPolicies map[string]dpv1alpha1.RateLimitPolicy ResourceRateLimitPolicies map[string]dpv1alpha1.RateLimitPolicy @@ -112,7 +112,7 @@ func parseRateLimitPolicyToInternal(ratelimitPolicy *dpv1alpha1.RateLimitPolicy) // addOperationLevelInterceptors add the operation level interceptor policy to the policies func addOperationLevelInterceptors(policies *OperationPolicies, apiPolicy *dpv1alpha2.APIPolicy, interceptorServicesMapping map[string]dpv1alpha1.InterceptorService, - backendMapping map[string]*dpv1alpha1.ResolvedBackend, namespace string) { + backendMapping map[string]*dpv1alpha2.ResolvedBackend, namespace string) { if apiPolicy != nil && apiPolicy.Spec.Override != nil { if len(apiPolicy.Spec.Override.RequestInterceptors) > 0 { requestInterceptor := interceptorServicesMapping[types.NamespacedName{ @@ -160,7 +160,7 @@ func addOperationLevelInterceptors(policies *OperationPolicies, apiPolicy *dpv1a } // GetEndpoints creates endpoints using resolved backends in backendMapping -func GetEndpoints(backendName types.NamespacedName, backendMapping map[string]*dpv1alpha1.ResolvedBackend) []Endpoint { +func GetEndpoints(backendName types.NamespacedName, backendMapping map[string]*dpv1alpha2.ResolvedBackend) []Endpoint { endpoints := []Endpoint{} backend, ok := backendMapping[backendName.String()] if ok && backend != nil { @@ -181,7 +181,7 @@ func GetEndpoints(backendName types.NamespacedName, backendMapping map[string]*d } // GetBackendBasePath gets basePath of the the Backend -func GetBackendBasePath(backendName types.NamespacedName, backendMapping map[string]*dpv1alpha1.ResolvedBackend) string { +func GetBackendBasePath(backendName types.NamespacedName, backendMapping map[string]*dpv1alpha2.ResolvedBackend) string { backend, ok := backendMapping[backendName.String()] if ok && backend != nil { if len(backend.Services) > 0 { diff --git a/adapter/internal/operator/controllers/dp/api_controller.go b/adapter/internal/operator/controllers/dp/api_controller.go index 22d110784..9873e5754 100644 --- a/adapter/internal/operator/controllers/dp/api_controller.go +++ b/adapter/internal/operator/controllers/dp/api_controller.go @@ -162,7 +162,7 @@ func NewAPIController(mgr manager.Manager, operatorDataStore *synchronizer.Opera return err } - if err := c.Watch(source.Kind(mgr.GetCache(), &dpv1alpha1.Backend{}), handler.EnqueueRequestsFromMapFunc(apiReconciler.populateAPIReconcileRequestsForBackend), + if err := c.Watch(source.Kind(mgr.GetCache(), &dpv1alpha2.Backend{}), handler.EnqueueRequestsFromMapFunc(apiReconciler.populateAPIReconcileRequestsForBackend), predicates...); err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2615, logging.BLOCKER, "Error watching Backend resources: %v", err)) return err @@ -560,7 +560,7 @@ func (apiReconciler *APIReconciler) concatGQLRoutes(ctx context.Context, gqlRout } resolvedBackend := utils.GetResolvedBackend(ctx, apiReconciler.client, backendNamespacedName, &api) if resolvedBackend != nil { - gqlRouteState.BackendMapping = map[string]*dpv1alpha1.ResolvedBackend{ + gqlRouteState.BackendMapping = map[string]*dpv1alpha2.ResolvedBackend{ backendNamespacedName.String(): resolvedBackend, } return gqlRouteState, nil @@ -827,8 +827,8 @@ func (apiReconciler *APIReconciler) resolveAuthentications(ctx context.Context, func (apiReconciler *APIReconciler) getResolvedBackendsMapping(ctx context.Context, httpRouteState *synchronizer.HTTPRouteState, interceptorServiceMapping map[string]dpv1alpha1.InterceptorService, - api dpv1alpha2.API) (map[string]*dpv1alpha1.ResolvedBackend, error) { - backendMapping := make(map[string]*dpv1alpha1.ResolvedBackend) + api dpv1alpha2.API) (map[string]*dpv1alpha2.ResolvedBackend, error) { + backendMapping := make(map[string]*dpv1alpha2.ResolvedBackend) // Resolve backends in HTTPRoute httpRoute := httpRouteState.HTTPRouteCombined @@ -1061,8 +1061,8 @@ func (apiReconciler *APIReconciler) traverseAPIStateAndUpdateOwnerReferences(ctx func (apiReconciler *APIReconciler) retriveParentAPIsAndUpdateOwnerReferene(ctx context.Context, obj k8client.Object) { var requests []reconcile.Request switch obj.(type) { - case *dpv1alpha1.Backend: - var backend dpv1alpha1.Backend + case *dpv1alpha2.Backend: + var backend dpv1alpha2.Backend namesapcedName := types.NamespacedName{ Name: string(obj.GetName()), Namespace: string(obj.GetNamespace()), @@ -1544,7 +1544,7 @@ func (apiReconciler *APIReconciler) getAPIsForScope(ctx context.Context, obj k8c // getAPIsForBackend triggers the API controller reconcile method based on the changes detected // in backend resources. func (apiReconciler *APIReconciler) getAPIsForBackend(ctx context.Context, obj k8client.Object) []reconcile.Request { - backend, ok := obj.(*dpv1alpha1.Backend) + backend, ok := obj.(*dpv1alpha2.Backend) if !ok { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2622, logging.TRIVIAL, "Unexpected object type, bypassing reconciliation: %v", backend)) return []reconcile.Request{} @@ -1823,9 +1823,9 @@ func addIndexes(ctx context.Context, mgr manager.Manager) error { } // ConfigMap to Backend indexer - if err := mgr.GetFieldIndexer().IndexField(ctx, &dpv1alpha1.Backend{}, configMapBackend, + if err := mgr.GetFieldIndexer().IndexField(ctx, &dpv1alpha2.Backend{}, configMapBackend, func(rawObj k8client.Object) []string { - backend := rawObj.(*dpv1alpha1.Backend) + backend := rawObj.(*dpv1alpha2.Backend) var configMaps []string if backend.Spec.TLS != nil && backend.Spec.TLS.ConfigMapRef != nil && len(backend.Spec.TLS.ConfigMapRef.Name) > 0 { configMaps = append(configMaps, @@ -1840,9 +1840,9 @@ func addIndexes(ctx context.Context, mgr manager.Manager) error { } // Secret to Backend indexer - if err := mgr.GetFieldIndexer().IndexField(ctx, &dpv1alpha1.Backend{}, secretBackend, + if err := mgr.GetFieldIndexer().IndexField(ctx, &dpv1alpha2.Backend{}, secretBackend, func(rawObj k8client.Object) []string { - backend := rawObj.(*dpv1alpha1.Backend) + backend := rawObj.(*dpv1alpha2.Backend) var secrets []string if backend.Spec.TLS != nil && backend.Spec.TLS.SecretRef != nil && len(backend.Spec.TLS.SecretRef.Name) > 0 { secrets = append(secrets, @@ -1859,6 +1859,13 @@ func addIndexes(ctx context.Context, mgr manager.Manager) error { Namespace: backend.Namespace, }.String()) } + if backend.Spec.Security.APIKey != nil { + secrets = append(secrets, + types.NamespacedName{ + Name: string(backend.Spec.Security.APIKey.ValueFrom.Name), + Namespace: backend.Namespace, + }.String()) + } } return secrets }); err != nil { diff --git a/adapter/internal/operator/controllers/dp/gateway_controller.go b/adapter/internal/operator/controllers/dp/gateway_controller.go index 476cbfdff..51c32b661 100644 --- a/adapter/internal/operator/controllers/dp/gateway_controller.go +++ b/adapter/internal/operator/controllers/dp/gateway_controller.go @@ -305,8 +305,8 @@ func (gatewayReconciler *GatewayReconciler) getInterceptorServicesForGateway(ctx } func (gatewayReconciler *GatewayReconciler) getResolvedBackendsMapping(ctx context.Context, - gatewayStateData *synchronizer.GatewayStateData) map[string]*dpv1alpha1.ResolvedBackend { - backendMapping := make(map[string]*dpv1alpha1.ResolvedBackend) + gatewayStateData *synchronizer.GatewayStateData) map[string]*dpv1alpha2.ResolvedBackend { + backendMapping := make(map[string]*dpv1alpha2.ResolvedBackend) if gatewayStateData.GatewayInterceptorServiceMapping != nil { interceptorServices := maps.Values(gatewayStateData.GatewayInterceptorServiceMapping) for _, interceptorService := range interceptorServices { diff --git a/adapter/internal/operator/synchronizer/api_state.go b/adapter/internal/operator/synchronizer/api_state.go index bff7dc462..0b6654433 100644 --- a/adapter/internal/operator/synchronizer/api_state.go +++ b/adapter/internal/operator/synchronizer/api_state.go @@ -51,7 +51,7 @@ type APIState struct { type HTTPRouteState struct { HTTPRouteCombined *gwapiv1.HTTPRoute HTTPRoutePartitions map[string]*gwapiv1.HTTPRoute - BackendMapping map[string]*v1alpha1.ResolvedBackend + BackendMapping map[string]*v1alpha2.ResolvedBackend Scopes map[string]v1alpha1.Scope } @@ -61,6 +61,6 @@ type HTTPRouteState struct { type GQLRouteState struct { GQLRouteCombined *v1alpha2.GQLRoute GQLRoutePartitions map[string]*v1alpha2.GQLRoute - BackendMapping map[string]*v1alpha1.ResolvedBackend + BackendMapping map[string]*v1alpha2.ResolvedBackend Scopes map[string]v1alpha1.Scope } diff --git a/adapter/internal/operator/synchronizer/gateway_state.go b/adapter/internal/operator/synchronizer/gateway_state.go index 947685d3d..070466db8 100644 --- a/adapter/internal/operator/synchronizer/gateway_state.go +++ b/adapter/internal/operator/synchronizer/gateway_state.go @@ -36,7 +36,7 @@ type GatewayState struct { type GatewayStateData struct { GatewayResolvedListenerCerts map[string]map[string][]byte GatewayAPIPolicies map[string]v1alpha2.APIPolicy - GatewayBackendMapping map[string]*v1alpha1.ResolvedBackend + GatewayBackendMapping map[string]*v1alpha2.ResolvedBackend GatewayInterceptorServiceMapping map[string]v1alpha1.InterceptorService GatewayCustomRateLimitPolicies map[string]*v1alpha1.RateLimitPolicy } diff --git a/adapter/internal/operator/synchronizer/gateway_synchronizer.go b/adapter/internal/operator/synchronizer/gateway_synchronizer.go index b991cc5bb..a43ceaac1 100644 --- a/adapter/internal/operator/synchronizer/gateway_synchronizer.go +++ b/adapter/internal/operator/synchronizer/gateway_synchronizer.go @@ -137,7 +137,7 @@ func getCustomRateLimitPolicies(customRateLimitPoliciesDef map[string]*dpv1alpha func generateGlobalInterceptorResource(gatewayAPIPolicies map[string]dpv1alpha2.APIPolicy, gatewayInterceptorServiceMapping map[string]dpv1alpha1.InterceptorService, - gatewayBackendMapping map[string]*dpv1alpha1.ResolvedBackend) (string, *clusterv3.Cluster, []*corev3.Address, + gatewayBackendMapping map[string]*dpv1alpha2.ResolvedBackend) (string, *clusterv3.Cluster, []*corev3.Address, *clusterv3.Cluster, []*corev3.Address) { var gwLuaScript string var gwReqICluster, gwResICluster *clusterv3.Cluster @@ -158,7 +158,7 @@ func generateGlobalInterceptorResource(gatewayAPIPolicies map[string]dpv1alpha2. func getGlobalInterceptorScript(gatewayAPIPolicies map[string]dpv1alpha2.APIPolicy, gatewayInterceptorServiceMapping map[string]dpv1alpha1.InterceptorService, - gatewayBackendMapping map[string]*dpv1alpha1.ResolvedBackend) string { + gatewayBackendMapping map[string]*dpv1alpha2.ResolvedBackend) string { iInvCtx := &interceptor.InvocationContext{ OrganizationID: "", BasePath: "", @@ -185,7 +185,7 @@ end func createInterceptors(gatewayAPIPolicies map[string]dpv1alpha2.APIPolicy, gatewayInterceptorServiceMapping map[string]dpv1alpha1.InterceptorService, - gatewayBackendMapping map[string]*dpv1alpha1.ResolvedBackend) (requestInterceptor map[string]model.InterceptEndpoint, responseInterceptor map[string]model.InterceptEndpoint) { + gatewayBackendMapping map[string]*dpv1alpha2.ResolvedBackend) (requestInterceptor map[string]model.InterceptEndpoint, responseInterceptor map[string]model.InterceptEndpoint) { requestInterceptorMap := make(map[string]model.InterceptEndpoint) responseInterceptorMap := make(map[string]model.InterceptEndpoint) @@ -227,7 +227,7 @@ func createInterceptors(gatewayAPIPolicies map[string]dpv1alpha2.APIPolicy, } func getInterceptorEndpoint(namespace string, interceptorRef *dpv1alpha2.InterceptorReference, - gatewayInterceptorServiceMapping map[string]dpv1alpha1.InterceptorService, gatewayBackendMapping map[string]*dpv1alpha1.ResolvedBackend, isReq bool) *model.InterceptEndpoint { + gatewayInterceptorServiceMapping map[string]dpv1alpha1.InterceptorService, gatewayBackendMapping map[string]*dpv1alpha2.ResolvedBackend, isReq bool) *model.InterceptEndpoint { interceptor := gatewayInterceptorServiceMapping[types.NamespacedName{ Namespace: namespace, Name: interceptorRef.Name}.String()].Spec diff --git a/adapter/internal/operator/synchronizer/zz_generated.deepcopy.go b/adapter/internal/operator/synchronizer/zz_generated.deepcopy.go index 201685195..ffe28ace5 100644 --- a/adapter/internal/operator/synchronizer/zz_generated.deepcopy.go +++ b/adapter/internal/operator/synchronizer/zz_generated.deepcopy.go @@ -159,14 +159,14 @@ func (in *GQLRouteState) DeepCopyInto(out *GQLRouteState) { } if in.BackendMapping != nil { in, out := &in.BackendMapping, &out.BackendMapping - *out = make(map[string]*v1alpha1.ResolvedBackend, len(*in)) + *out = make(map[string]*v1alpha2.ResolvedBackend, len(*in)) for key, val := range *in { - var outVal *v1alpha1.ResolvedBackend + var outVal *v1alpha2.ResolvedBackend if val == nil { (*out)[key] = nil } else { in, out := &val, &outVal - *out = new(v1alpha1.ResolvedBackend) + *out = new(v1alpha2.ResolvedBackend) (*in).DeepCopyInto(*out) } (*out)[key] = outVal @@ -253,14 +253,14 @@ func (in *GatewayStateData) DeepCopyInto(out *GatewayStateData) { } if in.GatewayBackendMapping != nil { in, out := &in.GatewayBackendMapping, &out.GatewayBackendMapping - *out = make(map[string]*v1alpha1.ResolvedBackend, len(*in)) + *out = make(map[string]*v1alpha2.ResolvedBackend, len(*in)) for key, val := range *in { - var outVal *v1alpha1.ResolvedBackend + var outVal *v1alpha2.ResolvedBackend if val == nil { (*out)[key] = nil } else { in, out := &val, &outVal - *out = new(v1alpha1.ResolvedBackend) + *out = new(v1alpha2.ResolvedBackend) (*in).DeepCopyInto(*out) } (*out)[key] = outVal @@ -325,14 +325,14 @@ func (in *HTTPRouteState) DeepCopyInto(out *HTTPRouteState) { } if in.BackendMapping != nil { in, out := &in.BackendMapping, &out.BackendMapping - *out = make(map[string]*v1alpha1.ResolvedBackend, len(*in)) + *out = make(map[string]*v1alpha2.ResolvedBackend, len(*in)) for key, val := range *in { - var outVal *v1alpha1.ResolvedBackend + var outVal *v1alpha2.ResolvedBackend if val == nil { (*out)[key] = nil } else { in, out := &val, &outVal - *out = new(v1alpha1.ResolvedBackend) + *out = new(v1alpha2.ResolvedBackend) (*in).DeepCopyInto(*out) } (*out)[key] = outVal diff --git a/adapter/internal/operator/utils/utils.go b/adapter/internal/operator/utils/utils.go index d07defc9c..064c647f0 100644 --- a/adapter/internal/operator/utils/utils.go +++ b/adapter/internal/operator/utils/utils.go @@ -33,7 +33,6 @@ import ( "github.com/wso2/apk/adapter/pkg/logging" "github.com/wso2/apk/adapter/pkg/utils/envutils" "github.com/wso2/apk/adapter/pkg/utils/stringutils" - "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1" dpv1alpha1 "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha1" dpv1alpha2 "github.com/wso2/apk/common-go-libs/apis/dp/v1alpha2" corev1 "k8s.io/api/core/v1" @@ -308,7 +307,7 @@ func GetService(ctx context.Context, client k8client.Client, namespace, serviceN } // GetResolvedBackendFromService converts a Kubernetes Service to a Resolved Backend. -func GetResolvedBackendFromService(k8sService *corev1.Service, svcPort int) (*v1alpha1.ResolvedBackend, error) { +func GetResolvedBackendFromService(k8sService *corev1.Service, svcPort int) (*dpv1alpha2.ResolvedBackend, error) { var host string var port uint32 @@ -342,13 +341,13 @@ func GetResolvedBackendFromService(k8sService *corev1.Service, svcPort int) (*v1 return nil, fmt.Errorf("unsupported service type %s", k8sService.Spec.Type) } - backend := &v1alpha1.ResolvedBackend{Services: []v1alpha1.Service{{Host: host, Port: port}}, Protocol: v1alpha1.HTTPProtocol} + backend := &dpv1alpha2.ResolvedBackend{Services: []dpv1alpha2.Service{{Host: host, Port: port}}, Protocol: dpv1alpha2.HTTPProtocol} return backend, nil } // ResolveAndAddBackendToMapping resolves backend from reference and adds it to the backendMapping. func ResolveAndAddBackendToMapping(ctx context.Context, client k8client.Client, - backendMapping map[string]*dpv1alpha1.ResolvedBackend, + backendMapping map[string]*dpv1alpha2.ResolvedBackend, backendRef dpv1alpha1.BackendReference, interceptorServiceNamespace string, api *dpv1alpha2.API) { backendName := types.NamespacedName{ Name: backendRef.Name, @@ -369,10 +368,10 @@ func ResolveRef(ctx context.Context, client k8client.Client, api *dpv1alpha2.API // GetResolvedBackend resolves backend TLS configurations. func GetResolvedBackend(ctx context.Context, client k8client.Client, - backendNamespacedName types.NamespacedName, api *dpv1alpha2.API) *dpv1alpha1.ResolvedBackend { - resolvedBackend := dpv1alpha1.ResolvedBackend{} - resolvedTLSConfig := dpv1alpha1.ResolvedTLSConfig{} - var backend dpv1alpha1.Backend + backendNamespacedName types.NamespacedName, api *dpv1alpha2.API) *dpv1alpha2.ResolvedBackend { + resolvedBackend := dpv1alpha2.ResolvedBackend{} + resolvedTLSConfig := dpv1alpha2.ResolvedTLSConfig{} + var backend dpv1alpha2.Backend if err := ResolveRef(ctx, client, api, backendNamespacedName, false, &backend); err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2646, logging.CRITICAL, "Error while getting backend: %v, error: %v", backendNamespacedName, err.Error())) return nil @@ -382,7 +381,7 @@ func GetResolvedBackend(ctx context.Context, client k8client.Client, resolvedBackend.Protocol = backend.Spec.Protocol resolvedBackend.BasePath = backend.Spec.BasePath if backend.Spec.CircuitBreaker != nil { - resolvedBackend.CircuitBreaker = &dpv1alpha1.CircuitBreaker{ + resolvedBackend.CircuitBreaker = &dpv1alpha2.CircuitBreaker{ MaxConnections: backend.Spec.CircuitBreaker.MaxConnections, MaxRequests: backend.Spec.CircuitBreaker.MaxRequests, MaxRetries: backend.Spec.CircuitBreaker.MaxRetries, @@ -391,20 +390,20 @@ func GetResolvedBackend(ctx context.Context, client k8client.Client, } } if backend.Spec.Timeout != nil { - resolvedBackend.Timeout = &dpv1alpha1.Timeout{ + resolvedBackend.Timeout = &dpv1alpha2.Timeout{ UpstreamResponseTimeout: backend.Spec.Timeout.UpstreamResponseTimeout, DownstreamRequestIdleTimeout: backend.Spec.Timeout.DownstreamRequestIdleTimeout, } } if backend.Spec.Retry != nil { - resolvedBackend.Retry = &dpv1alpha1.RetryConfig{ + resolvedBackend.Retry = &dpv1alpha2.RetryConfig{ Count: backend.Spec.Retry.Count, BaseIntervalMillis: backend.Spec.Retry.BaseIntervalMillis, StatusCodes: backend.Spec.Retry.StatusCodes, } } if backend.Spec.HealthCheck != nil { - resolvedBackend.HealthCheck = &dpv1alpha1.HealthCheck{ + resolvedBackend.HealthCheck = &dpv1alpha2.HealthCheck{ Timeout: backend.Spec.HealthCheck.Timeout, Interval: backend.Spec.HealthCheck.Interval, UnhealthyThreshold: backend.Spec.HealthCheck.UnhealthyThreshold, @@ -449,8 +448,8 @@ func UpdateCR(ctx context.Context, client k8client.Client, child metav1.Object) // getResolvedBackendSecurity resolves backend security configurations. func getResolvedBackendSecurity(ctx context.Context, client k8client.Client, - namespace string, security dpv1alpha1.SecurityConfig) dpv1alpha1.ResolvedSecurityConfig { - resolvedSecurity := dpv1alpha1.ResolvedSecurityConfig{} + namespace string, security dpv1alpha2.SecurityConfig) dpv1alpha2.ResolvedSecurityConfig { + resolvedSecurity := dpv1alpha2.ResolvedSecurityConfig{} if security.Basic != nil { var err error var username string @@ -462,14 +461,39 @@ func getResolvedBackendSecurity(ctx context.Context, client k8client.Client, if err != nil || username == "" || password == "" { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2648, logging.CRITICAL, "Error while reading key from secretRef: %s", security.Basic.SecretRef)) } - resolvedSecurity = dpv1alpha1.ResolvedSecurityConfig{ + resolvedSecurity = dpv1alpha2.ResolvedSecurityConfig{ Type: "Basic", - Basic: dpv1alpha1.ResolvedBasicSecurityConfig{ + Basic: dpv1alpha2.ResolvedBasicSecurityConfig{ Username: username, Password: password, }, } + } else if security.APIKey != nil { + var err error + var in string + var keyName string + var keyValue string + in = security.APIKey.In + keyName = security.APIKey.Name + if security.APIKey.ValueFrom.Name != "" { + keyValue, err = getSecretValue(ctx, client, + namespace, security.APIKey.ValueFrom.Name, security.APIKey.ValueFrom.ValueKey) + if err != nil || keyValue == "" { + loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2649, logging.CRITICAL, "Error while reading key from secretRef: %s", security.APIKey.ValueFrom)) + } + } else { + keyValue = security.APIKey.ValueFrom.ValueKey + } + resolvedSecurity = dpv1alpha2.ResolvedSecurityConfig{ + Type: "APIKey", + APIKey: dpv1alpha2.ResolvedAPIKeySecurityConfig{ + In: in, + Name: keyName, + Value: keyValue, + }, + } } + loggers.LoggerAPKOperator.Debugf("Resolved Security %v", resolvedSecurity) return resolvedSecurity } @@ -626,7 +650,7 @@ func RetrieveAPIList(k8sclient k8client.Client) ([]dpv1alpha2.API, error) { } // ConvertRefConfigsV1ToV2 converts RefConfig v2 to v1 -func ConvertRefConfigsV1ToV2(refConfig *dpv1alpha1.RefConfig) *dpv1alpha2.RefConfig { +func ConvertRefConfigsV1ToV2(refConfig *dpv1alpha2.RefConfig) *dpv1alpha2.RefConfig { if refConfig != nil { return &dpv1alpha2.RefConfig{ Name: refConfig.Name, diff --git a/adapter/pkg/eventhub/types/types.go b/adapter/pkg/eventhub/types/types.go index dc7c03b62..23e2c1a37 100644 --- a/adapter/pkg/eventhub/types/types.go +++ b/adapter/pkg/eventhub/types/types.go @@ -78,8 +78,8 @@ type APIPolicy struct { PolicyName string `json:"policyName"` QuotaType string `json:"quotaType"` PolicyType string `json:"policyType"` - AddedConditionGroupIds string `json:"addedConditionGroupIds"` - DeletedConditionGroupIds string `json:"deletedConditionGroupIds"` + AddedConditionGroupIDs string `json:"addedConditionGroupIDs"` + DeletedConditionGroupIDs string `json:"deletedConditionGroupIDs"` TimeStamp int64 `json:"timeStamp,omitempty"` } diff --git a/common-go-libs/apis/dp/v1alpha2/backend_types.go b/common-go-libs/apis/dp/v1alpha2/backend_types.go new file mode 100644 index 000000000..bc246867d --- /dev/null +++ b/common-go-libs/apis/dp/v1alpha2/backend_types.go @@ -0,0 +1,301 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package v1alpha2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// BackendProtocolType defines the backend protocol type. +type BackendProtocolType string + +const ( + // HTTPProtocol is the http protocol + HTTPProtocol BackendProtocolType = "http" + // HTTPSProtocol is the https protocol + HTTPSProtocol BackendProtocolType = "https" + // WSProtocol is the ws protocol + WSProtocol BackendProtocolType = "ws" + // WSSProtocol is the wss protocol + WSSProtocol BackendProtocolType = "wss" +) + +// BackendSpec defines the desired state of Backend +type BackendSpec struct { + // Services holds hosts and ports + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=1 + Services []Service `json:"services,omitempty"` + + // Protocol defines the backend protocol + // + // +optional + // +kubebuilder:validation:Enum=http;https;ws;wss + // +kubebuilder:default=http + Protocol BackendProtocolType `json:"protocol"` + + // BasePath defines the base path of the backend + // +optional + BasePath string `json:"basePath"` + + // TLS defines the TLS configurations of the backend + TLS *TLSConfig `json:"tls,omitempty"` + + // Security defines the security configurations of the backend + Security *SecurityConfig `json:"security,omitempty"` + + // CircuitBreaker defines the circuit breaker configurations + CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"` + + // Timeout configuration for the backend + Timeout *Timeout `json:"timeout,omitempty"` + + // Retry configuration for the backend + Retry *RetryConfig `json:"retry,omitempty"` + + // HealthCheck configuration for the backend tcp health check + HealthCheck *HealthCheck `json:"healthCheck,omitempty"` +} + +// HealthCheck defines the health check configurations +type HealthCheck struct { + + // Timeout is the time to wait for a health check response. + // If the timeout is reached the health check attempt will be considered a failure. + // + // +kubebuilder:default=1 + // +optional + Timeout uint32 `json:"timeout,omitempty"` + + // Interval is the time between health check attempts in seconds. + // + // +kubebuilder:default=30 + // +optional + Interval uint32 `json:"interval,omitempty"` + + // UnhealthyThreshold is the number of consecutive health check failures required + // before a backend is marked unhealthy. + // + // +kubebuilder:default=2 + // +optional + UnhealthyThreshold uint32 `json:"unhealthyThreshold,omitempty"` + + // HealthyThreshold is the number of healthy health checks required before a host is marked healthy. + // Note that during startup, only a single successful health check is required to mark a host healthy. + // + // +kubebuilder:default=2 + // +optional + HealthyThreshold uint32 `json:"healthyThreshold,omitempty"` +} + +// Timeout defines the timeout configurations +type Timeout struct { + // UpstreamResponseTimeout spans between the point at which the entire downstream request (i.e. end-of-stream) has been processed and + // when the upstream response has been completely processed. + // A value of 0 will disable the route’s timeout. + // + // +kubebuilder:default=15 + UpstreamResponseTimeout uint32 `json:"upstreamResponseTimeout"` + + // DownstreamRequestIdleTimeout bounds the amount of time the request's stream may be idle. + // A value of 0 will completely disable the route's idle timeout. + // + // +kubebuilder:default=300 + // +optional + DownstreamRequestIdleTimeout uint32 `json:"downstreamRequestIdleTimeout"` +} + +// CircuitBreaker defines the circuit breaker configurations +type CircuitBreaker struct { + + // MaxConnections is the maximum number of connections that will make to the upstream cluster. + // + // +kubebuilder:default=1024 + // +optional + MaxConnections uint32 `json:"maxConnections"` + + // MaxPendingRequests is the maximum number of pending requests that will allow to the upstream cluster. + // + // +kubebuilder:default=1024 + // +optional + MaxPendingRequests uint32 `json:"maxPendingRequests"` + + // MaxRequests is the maximum number of parallel requests that will make to the upstream cluster. + // + // +kubebuilder:default=1024 + // +optional + MaxRequests uint32 `json:"maxRequests"` + + // MaxRetries is the maximum number of parallel retries that will allow to the upstream cluster. + // + // +kubebuilder:default=3 + // +optional + MaxRetries uint32 `json:"maxRetries"` + + // MaxConnectionPools is the maximum number of parallel connection pools that will allow to the upstream cluster. + // If not specified, the default is unlimited. + // + // +optional + // +kubebuilder:validation:Minimum=1 + MaxConnectionPools uint32 `json:"maxConnectionPools"` +} + +// RetryConfig defines retry configurations +type RetryConfig struct { + + // Count defines the number of retries. + // If exceeded, TooEarly(425 response code) response will be sent to the client. + // + // +kubebuilder:default=1 + Count uint32 `json:"count"` + + // BaseIntervalMillis is exponential retry back off and it defines the base interval between retries in milliseconds. + // maximum interval is 10 times of the BaseIntervalMillis + // + // +kubebuilder:default=25 + // +kubebuilder:validation:Minimum=1 + // +optional + BaseIntervalMillis uint32 `json:"baseIntervalMillis"` + + // StatusCodes defines the list of status codes to retry + // + // +optional + StatusCodes []uint32 `json:"statusCodes,omitempty"` +} + +// Service holds host and port information for the service +type Service struct { + // Host is the hostname of the service + // + // +kubebuilder:validation:MinLength=1 + Host string `json:"host"` + + // Port of the service + Port uint32 `json:"port"` +} + +// TLSConfig defines enpoint TLS configurations +type TLSConfig struct { + // CertificateInline is the Inline Certificate entry + CertificateInline *string `json:"certificateInline,omitempty"` + + // SecretRef denotes the reference to the Secret that contains the Certificate + SecretRef *RefConfig `json:"secretRef,omitempty"` + + // ConfigMapRef denotes the reference to the ConfigMap that contains the Certificate + ConfigMapRef *RefConfig `json:"configMapRef,omitempty"` + + // AllowedCNs is the list of allowed Subject Alternative Names (SANs) + // + // +optional + AllowedSANs []string `json:"allowedSANs,omitempty"` +} + +// SecurityConfig defines enpoint security configurations +type SecurityConfig struct { + // Basic security configuration + Basic *BasicSecurityConfig `json:"basic,omitempty"` + // APIKey security configuration + APIKey *APIKeySecurityConfig `json:"apiKey,omitempty"` +} + +// APIKeySecurityConfig defines APIKey security configurations +type APIKeySecurityConfig struct { + // In is to specify how the APIKey is passed to the request + // + // +kubebuilder:validation:Enum=Header;Query + // +kubebuilder:validation:MinLength=1 + In string `json:"in,omitempty"` + + // Name is the name of the header or query parameter to be used + // +kubebuilder:validation:MinLength=1 + Name string `json:"name,omitempty"` + + // ValueRef to value + ValueFrom ValueRef `json:"valueFrom"` +} + +// ValueRef to value +type ValueRef struct { + // Name of the secret + // + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // Field Key of the APIKey + // + // +kubebuilder:validation:MinLength=1 + ValueKey string `json:"valueKey"` +} + +// BasicSecurityConfig defines basic security configurations +type BasicSecurityConfig struct { + // SecretRef to credentials + SecretRef SecretRef `json:"secretRef"` +} + +// SecretRef to credentials +type SecretRef struct { + // Name of the secret + // + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // Username Key value + // + // +kubebuilder:validation:MinLength=1 + UsernameKey string `json:"usernameKey"` + + // Password Key of the secret + // + // +kubebuilder:validation:MinLength=1 + PasswordKey string `json:"passwordKey"` +} + +// BackendStatus defines the observed state of Backend +type BackendStatus struct{} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status +//+kubebuilder:storageversion + +// Backend is the Schema for the backends API +type Backend struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec BackendSpec `json:"spec,omitempty"` + Status BackendStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// BackendList contains a list of Backend +type BackendList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Backend `json:"items"` +} + +func init() { + SchemeBuilder.Register(&Backend{}, &BackendList{}) +} diff --git a/common-go-libs/apis/dp/v1alpha2/resolvedbackend.go b/common-go-libs/apis/dp/v1alpha2/resolvedbackend.go new file mode 100644 index 000000000..670fd0dd9 --- /dev/null +++ b/common-go-libs/apis/dp/v1alpha2/resolvedbackend.go @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package v1alpha2 + +// ResolvedBackend holds backend properties +type ResolvedBackend struct { + Backend Backend + Services []Service + Protocol BackendProtocolType + TLS ResolvedTLSConfig + Security ResolvedSecurityConfig + CircuitBreaker *CircuitBreaker + Timeout *Timeout + Retry *RetryConfig + BasePath string `json:"basePath"` + HealthCheck *HealthCheck +} + +// ResolvedTLSConfig defines enpoint TLS configurations +type ResolvedTLSConfig struct { + ResolvedCertificate string + AllowedSANs []string +} + +// ResolvedSecurityConfig defines enpoint resolved security configurations +type ResolvedSecurityConfig struct { + Type string + Basic ResolvedBasicSecurityConfig + APIKey ResolvedAPIKeySecurityConfig +} + +// ResolvedBasicSecurityConfig defines resolved basic security configuration +type ResolvedBasicSecurityConfig struct { + Username string + Password string +} + +// ResolvedAPIKeySecurityConfig defines resolved API key security configuration +type ResolvedAPIKeySecurityConfig struct { + In string + Name string + Value string +} diff --git a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go index 3707b5f9c..f3ef8ae5f 100644 --- a/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go +++ b/common-go-libs/apis/dp/v1alpha2/zz_generated.deepcopy.go @@ -97,6 +97,22 @@ func (in *APIKeyAuth) DeepCopy() *APIKeyAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *APIKeySecurityConfig) DeepCopyInto(out *APIKeySecurityConfig) { + *out = *in + out.ValueFrom = in.ValueFrom +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIKeySecurityConfig. +func (in *APIKeySecurityConfig) DeepCopy() *APIKeySecurityConfig { + if in == nil { + return nil + } + out := new(APIKeySecurityConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIList) DeepCopyInto(out *APIList) { *out = *in @@ -404,6 +420,33 @@ func (in *AuthenticationStatus) DeepCopy() *AuthenticationStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Backend) DeepCopyInto(out *Backend) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + out.Status = in.Status +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backend. +func (in *Backend) DeepCopy() *Backend { + if in == nil { + return nil + } + out := new(Backend) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Backend) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackendJWTToken) DeepCopyInto(out *BackendJWTToken) { *out = *in @@ -419,6 +462,119 @@ func (in *BackendJWTToken) DeepCopy() *BackendJWTToken { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendList) DeepCopyInto(out *BackendList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Backend, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendList. +func (in *BackendList) DeepCopy() *BackendList { + if in == nil { + return nil + } + out := new(BackendList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *BackendList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendSpec) DeepCopyInto(out *BackendSpec) { + *out = *in + if in.Services != nil { + in, out := &in.Services, &out.Services + *out = make([]Service, len(*in)) + copy(*out, *in) + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSConfig) + (*in).DeepCopyInto(*out) + } + if in.Security != nil { + in, out := &in.Security, &out.Security + *out = new(SecurityConfig) + (*in).DeepCopyInto(*out) + } + if in.CircuitBreaker != nil { + in, out := &in.CircuitBreaker, &out.CircuitBreaker + *out = new(CircuitBreaker) + **out = **in + } + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(Timeout) + **out = **in + } + if in.Retry != nil { + in, out := &in.Retry, &out.Retry + *out = new(RetryConfig) + (*in).DeepCopyInto(*out) + } + if in.HealthCheck != nil { + in, out := &in.HealthCheck, &out.HealthCheck + *out = new(HealthCheck) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendSpec. +func (in *BackendSpec) DeepCopy() *BackendSpec { + if in == nil { + return nil + } + out := new(BackendSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendStatus) DeepCopyInto(out *BackendStatus) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendStatus. +func (in *BackendStatus) DeepCopy() *BackendStatus { + if in == nil { + return nil + } + out := new(BackendStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BasicSecurityConfig) DeepCopyInto(out *BasicSecurityConfig) { + *out = *in + out.SecretRef = in.SecretRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicSecurityConfig. +func (in *BasicSecurityConfig) DeepCopy() *BasicSecurityConfig { + if in == nil { + return nil + } + out := new(BasicSecurityConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CERTConfig) DeepCopyInto(out *CERTConfig) { *out = *in @@ -489,6 +645,21 @@ func (in *CORSPolicy) DeepCopy() *CORSPolicy { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CircuitBreaker) DeepCopyInto(out *CircuitBreaker) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CircuitBreaker. +func (in *CircuitBreaker) DeepCopy() *CircuitBreaker { + if in == nil { + return nil + } + out := new(CircuitBreaker) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClaimMapping) DeepCopyInto(out *ClaimMapping) { *out = *in @@ -731,6 +902,21 @@ func (in *GQLRouteStatus) DeepCopy() *GQLRouteStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HealthCheck) DeepCopyInto(out *HealthCheck) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheck. +func (in *HealthCheck) DeepCopy() *HealthCheck { + if in == nil { + return nil + } + out := new(HealthCheck) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InterceptorReference) DeepCopyInto(out *InterceptorReference) { *out = *in @@ -939,6 +1125,191 @@ func (in *RefConfig) DeepCopy() *RefConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedAPIKeySecurityConfig) DeepCopyInto(out *ResolvedAPIKeySecurityConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedAPIKeySecurityConfig. +func (in *ResolvedAPIKeySecurityConfig) DeepCopy() *ResolvedAPIKeySecurityConfig { + if in == nil { + return nil + } + out := new(ResolvedAPIKeySecurityConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedBackend) DeepCopyInto(out *ResolvedBackend) { + *out = *in + in.Backend.DeepCopyInto(&out.Backend) + if in.Services != nil { + in, out := &in.Services, &out.Services + *out = make([]Service, len(*in)) + copy(*out, *in) + } + in.TLS.DeepCopyInto(&out.TLS) + out.Security = in.Security + if in.CircuitBreaker != nil { + in, out := &in.CircuitBreaker, &out.CircuitBreaker + *out = new(CircuitBreaker) + **out = **in + } + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(Timeout) + **out = **in + } + if in.Retry != nil { + in, out := &in.Retry, &out.Retry + *out = new(RetryConfig) + (*in).DeepCopyInto(*out) + } + if in.HealthCheck != nil { + in, out := &in.HealthCheck, &out.HealthCheck + *out = new(HealthCheck) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedBackend. +func (in *ResolvedBackend) DeepCopy() *ResolvedBackend { + if in == nil { + return nil + } + out := new(ResolvedBackend) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedBasicSecurityConfig) DeepCopyInto(out *ResolvedBasicSecurityConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedBasicSecurityConfig. +func (in *ResolvedBasicSecurityConfig) DeepCopy() *ResolvedBasicSecurityConfig { + if in == nil { + return nil + } + out := new(ResolvedBasicSecurityConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedSecurityConfig) DeepCopyInto(out *ResolvedSecurityConfig) { + *out = *in + out.Basic = in.Basic + out.APIKey = in.APIKey +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedSecurityConfig. +func (in *ResolvedSecurityConfig) DeepCopy() *ResolvedSecurityConfig { + if in == nil { + return nil + } + out := new(ResolvedSecurityConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedTLSConfig) DeepCopyInto(out *ResolvedTLSConfig) { + *out = *in + if in.AllowedSANs != nil { + in, out := &in.AllowedSANs, &out.AllowedSANs + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedTLSConfig. +func (in *ResolvedTLSConfig) DeepCopy() *ResolvedTLSConfig { + if in == nil { + return nil + } + out := new(ResolvedTLSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RetryConfig) DeepCopyInto(out *RetryConfig) { + *out = *in + if in.StatusCodes != nil { + in, out := &in.StatusCodes, &out.StatusCodes + *out = make([]uint32, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetryConfig. +func (in *RetryConfig) DeepCopy() *RetryConfig { + if in == nil { + return nil + } + out := new(RetryConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretRef) DeepCopyInto(out *SecretRef) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRef. +func (in *SecretRef) DeepCopy() *SecretRef { + if in == nil { + return nil + } + out := new(SecretRef) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecurityConfig) DeepCopyInto(out *SecurityConfig) { + *out = *in + if in.Basic != nil { + in, out := &in.Basic, &out.Basic + *out = new(BasicSecurityConfig) + **out = **in + } + if in.APIKey != nil { + in, out := &in.APIKey, &out.APIKey + *out = new(APIKeySecurityConfig) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfig. +func (in *SecurityConfig) DeepCopy() *SecurityConfig { + if in == nil { + return nil + } + out := new(SecurityConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Service) DeepCopyInto(out *Service) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service. +func (in *Service) DeepCopy() *Service { + if in == nil { + return nil + } + out := new(Service) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SignatureValidation) DeepCopyInto(out *SignatureValidation) { *out = *in @@ -964,6 +1335,56 @@ func (in *SignatureValidation) DeepCopy() *SignatureValidation { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSConfig) DeepCopyInto(out *TLSConfig) { + *out = *in + if in.CertificateInline != nil { + in, out := &in.CertificateInline, &out.CertificateInline + *out = new(string) + **out = **in + } + if in.SecretRef != nil { + in, out := &in.SecretRef, &out.SecretRef + *out = new(RefConfig) + **out = **in + } + if in.ConfigMapRef != nil { + in, out := &in.ConfigMapRef, &out.ConfigMapRef + *out = new(RefConfig) + **out = **in + } + if in.AllowedSANs != nil { + in, out := &in.AllowedSANs, &out.AllowedSANs + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig. +func (in *TLSConfig) DeepCopy() *TLSConfig { + if in == nil { + return nil + } + out := new(TLSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Timeout) DeepCopyInto(out *Timeout) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timeout. +func (in *Timeout) DeepCopy() *Timeout { + if in == nil { + return nil + } + out := new(Timeout) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) { *out = *in @@ -1076,3 +1497,18 @@ func (in *TokenIssuerStatus) DeepCopy() *TokenIssuerStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ValueRef) DeepCopyInto(out *ValueRef) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueRef. +func (in *ValueRef) DeepCopy() *ValueRef { + if in == nil { + return nil + } + out := new(ValueRef) + in.DeepCopyInto(out) + return out +} diff --git a/common-go-libs/config/crd/bases/dp.wso2.com_backends.yaml b/common-go-libs/config/crd/bases/dp.wso2.com_backends.yaml index 930a16d9d..a3318b653 100644 --- a/common-go-libs/config/crd/bases/dp.wso2.com_backends.yaml +++ b/common-go-libs/config/crd/bases/dp.wso2.com_backends.yaml @@ -261,6 +261,290 @@ spec: type: object type: object served: true + storage: false + subresources: + status: {} + - name: v1alpha2 + schema: + openAPIV3Schema: + description: Backend is the Schema for the backends API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackendSpec defines the desired state of Backend + properties: + basePath: + description: BasePath defines the base path of the backend + type: string + circuitBreaker: + description: CircuitBreaker defines the circuit breaker configurations + properties: + maxConnectionPools: + description: MaxConnectionPools is the maximum number of parallel + connection pools that will allow to the upstream cluster. If + not specified, the default is unlimited. + format: int32 + minimum: 1 + type: integer + maxConnections: + default: 1024 + description: MaxConnections is the maximum number of connections + that will make to the upstream cluster. + format: int32 + type: integer + maxPendingRequests: + default: 1024 + description: MaxPendingRequests is the maximum number of pending + requests that will allow to the upstream cluster. + format: int32 + type: integer + maxRequests: + default: 1024 + description: MaxRequests is the maximum number of parallel requests + that will make to the upstream cluster. + format: int32 + type: integer + maxRetries: + default: 3 + description: MaxRetries is the maximum number of parallel retries + that will allow to the upstream cluster. + format: int32 + type: integer + type: object + healthCheck: + description: HealthCheck configuration for the backend tcp health + check + properties: + healthyThreshold: + default: 2 + description: HealthyThreshold is the number of healthy health + checks required before a host is marked healthy. Note that during + startup, only a single successful health check is required to + mark a host healthy. + format: int32 + type: integer + interval: + default: 30 + description: Interval is the time between health check attempts + in seconds. + format: int32 + type: integer + timeout: + default: 1 + description: Timeout is the time to wait for a health check response. + If the timeout is reached the health check attempt will be considered + a failure. + format: int32 + type: integer + unhealthyThreshold: + default: 2 + description: UnhealthyThreshold is the number of consecutive health + check failures required before a backend is marked unhealthy. + format: int32 + type: integer + type: object + protocol: + default: http + description: Protocol defines the backend protocol + enum: + - http + - https + - ws + - wss + type: string + retry: + description: Retry configuration for the backend + properties: + baseIntervalMillis: + default: 25 + description: BaseIntervalMillis is exponential retry back off + and it defines the base interval between retries in milliseconds. + maximum interval is 10 times of the BaseIntervalMillis + format: int32 + minimum: 1 + type: integer + count: + default: 1 + description: Count defines the number of retries. If exceeded, + TooEarly(425 response code) response will be sent to the client. + format: int32 + type: integer + statusCodes: + description: StatusCodes defines the list of status codes to retry + items: + format: int32 + type: integer + type: array + required: + - count + type: object + security: + description: Security defines the security configurations of the backend + properties: + apiKey: + description: APIKey security configuration + properties: + in: + description: In is to specify how the APIKey is passed to + the request + enum: + - Header + - Query + minLength: 1 + type: string + name: + description: Name is the name of the header or query parameter + to be used + minLength: 1 + type: string + valueFrom: + description: ValueRef to value + properties: + name: + description: Name of the secret + minLength: 1 + type: string + valueKey: + description: Field Key of the APIKey + minLength: 1 + type: string + required: + - name + - valueKey + type: object + required: + - valueFrom + type: object + basic: + description: Basic security configuration + properties: + secretRef: + description: SecretRef to credentials + properties: + name: + description: Name of the secret + minLength: 1 + type: string + passwordKey: + description: Password Key of the secret + minLength: 1 + type: string + usernameKey: + description: Username Key value + minLength: 1 + type: string + required: + - name + - passwordKey + - usernameKey + type: object + required: + - secretRef + type: object + type: object + services: + description: Services holds hosts and ports + items: + description: Service holds host and port information for the service + properties: + host: + description: Host is the hostname of the service + minLength: 1 + type: string + port: + description: Port of the service + format: int32 + type: integer + required: + - host + - port + type: object + maxItems: 1 + minItems: 1 + type: array + timeout: + description: Timeout configuration for the backend + properties: + downstreamRequestIdleTimeout: + default: 300 + description: DownstreamRequestIdleTimeout bounds the amount of + time the request's stream may be idle. A value of 0 will completely + disable the route's idle timeout. + format: int32 + type: integer + upstreamResponseTimeout: + default: 15 + description: UpstreamResponseTimeout spans between the point at + which the entire downstream request (i.e. end-of-stream) has + been processed and when the upstream response has been completely + processed. A value of 0 will disable the route’s timeout. + format: int32 + type: integer + required: + - upstreamResponseTimeout + type: object + tls: + description: TLS defines the TLS configurations of the backend + properties: + allowedSANs: + description: AllowedCNs is the list of allowed Subject Alternative + Names (SANs) + items: + type: string + type: array + certificateInline: + description: CertificateInline is the Inline Certificate entry + type: string + configMapRef: + description: ConfigMapRef denotes the reference to the ConfigMap + that contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + secretRef: + description: SecretRef denotes the reference to the Secret that + contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + type: object + type: object + status: + description: BackendStatus defines the observed state of Backend + type: object + type: object + served: true storage: true subresources: status: {} diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/EndpointUtils.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/EndpointUtils.java index 449b0a661..6c3812abe 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/EndpointUtils.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/util/EndpointUtils.java @@ -27,6 +27,8 @@ import org.wso2.apk.enforcer.constants.APIConstants; import java.util.Base64; +import java.util.Map; + import org.wso2.apk.enforcer.constants.AdapterConstants; /** @@ -56,6 +58,20 @@ public static void addEndpointSecurity(RequestContext requestContext) { Base64.getEncoder().encodeToString((securityInfo.getUsername() + ':' + String.valueOf(securityInfo.getPassword())).getBytes())); } + // Add APIKey header if the security type is APIKey + if (securityInfo != null && securityInfo.isEnabled() && + "APIKey".equalsIgnoreCase(securityInfo.getSecurityType())) { + if ("Header".equalsIgnoreCase(securityInfo.getCustomParameters().get("in"))) { + requestContext.getRemoveHeaders().remove(APIConstants.AUTHORIZATION_HEADER_DEFAULT + .toLowerCase()); + requestContext.addOrModifyHeaders(securityInfo.getCustomParameters().get("key"), + securityInfo.getCustomParameters().get("value")); + } else if ("Query".equalsIgnoreCase(securityInfo.getCustomParameters().get("in"))) { + Map queryParamsToAdd = requestContext.getQueryParamsToAdd(); + queryParamsToAdd.put(securityInfo.getCustomParameters().get("key"), + securityInfo.getCustomParameters().get("value")); + } + } } } } diff --git a/helm-charts/crds/dp.wso2.com_backends.yaml b/helm-charts/crds/dp.wso2.com_backends.yaml index 40f5798b1..4824ab2fc 100644 --- a/helm-charts/crds/dp.wso2.com_backends.yaml +++ b/helm-charts/crds/dp.wso2.com_backends.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: backends.dp.wso2.com spec: group: dp.wso2.com @@ -15,253 +14,537 @@ spec: singular: backend scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Backend is the Schema for the backends API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Backend is the Schema for the backends API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BackendSpec defines the desired state of Backend - properties: - basePath: - description: BasePath defines the base path of the backend - type: string - circuitBreaker: - description: CircuitBreaker defines the circuit breaker configurations - properties: - maxConnectionPools: - description: MaxConnectionPools is the maximum number of parallel - connection pools that will allow to the upstream cluster. If - not specified, the default is unlimited. - format: int32 - minimum: 1 - type: integer - maxConnections: - default: 1024 - description: MaxConnections is the maximum number of connections - that will make to the upstream cluster. - format: int32 - type: integer - maxPendingRequests: - default: 1024 - description: MaxPendingRequests is the maximum number of pending - requests that will allow to the upstream cluster. - format: int32 - type: integer - maxRequests: - default: 1024 - description: MaxRequests is the maximum number of parallel requests - that will make to the upstream cluster. - format: int32 - type: integer - maxRetries: - default: 3 - description: MaxRetries is the maximum number of parallel retries - that will allow to the upstream cluster. - format: int32 - type: integer - type: object - healthCheck: - description: HealthCheck configuration for the backend tcp health - check - properties: - healthyThreshold: - default: 2 - description: HealthyThreshold is the number of healthy health - checks required before a host is marked healthy. Note that during - startup, only a single successful health check is required to - mark a host healthy. - format: int32 - type: integer - interval: - default: 30 - description: Interval is the time between health check attempts - in seconds. - format: int32 - type: integer - timeout: - default: 1 - description: Timeout is the time to wait for a health check response. - If the timeout is reached the health check attempt will be considered - a failure. - format: int32 - type: integer - unhealthyThreshold: - default: 2 - description: UnhealthyThreshold is the number of consecutive health - check failures required before a backend is marked unhealthy. - format: int32 - type: integer - type: object - protocol: - default: http - description: Protocol defines the backend protocol - enum: - - http - - https - - ws - - wss - type: string - retry: - description: Retry configuration for the backend - properties: - baseIntervalMillis: - default: 25 - description: BaseIntervalMillis is exponential retry back off - and it defines the base interval between retries in milliseconds. - maximum interval is 10 times of the BaseIntervalMillis - format: int32 - minimum: 1 - type: integer - count: - default: 1 - description: Count defines the number of retries. If exceeded, - TooEarly(425 response code) response will be sent to the client. - format: int32 - type: integer - statusCodes: - description: StatusCodes defines the list of status codes to retry - items: + type: string + metadata: + type: object + spec: + description: BackendSpec defines the desired state of Backend + properties: + basePath: + description: BasePath defines the base path of the backend + type: string + circuitBreaker: + description: CircuitBreaker defines the circuit breaker configurations + properties: + maxConnectionPools: + description: MaxConnectionPools is the maximum number of parallel + connection pools that will allow to the upstream cluster. If + not specified, the default is unlimited. format: int32 + minimum: 1 type: integer - type: array - required: - - count - type: object - security: - description: Security defines the security configurations of the backend - properties: - basic: - description: Basic security configuration - properties: - secretRef: - description: SecretRef to credentials - properties: - name: - description: Name of the secret - minLength: 1 - type: string - passwordKey: - description: Key of the secret - minLength: 1 - type: string - usernameKey: - description: Namespace of the secret - minLength: 1 - type: string - required: - - name - - passwordKey - - usernameKey - type: object - required: - - secretRef - type: object - type: object - services: - description: Services holds hosts and ports - items: - description: Service holds host and port information for the service + maxConnections: + default: 1024 + description: MaxConnections is the maximum number of connections + that will make to the upstream cluster. + format: int32 + type: integer + maxPendingRequests: + default: 1024 + description: MaxPendingRequests is the maximum number of pending + requests that will allow to the upstream cluster. + format: int32 + type: integer + maxRequests: + default: 1024 + description: MaxRequests is the maximum number of parallel requests + that will make to the upstream cluster. + format: int32 + type: integer + maxRetries: + default: 3 + description: MaxRetries is the maximum number of parallel retries + that will allow to the upstream cluster. + format: int32 + type: integer + type: object + healthCheck: + description: HealthCheck configuration for the backend tcp health + check properties: - host: - description: Host is the hostname of the service - minLength: 1 - type: string - port: - description: Port of the service + healthyThreshold: + default: 2 + description: HealthyThreshold is the number of healthy health + checks required before a host is marked healthy. Note that during + startup, only a single successful health check is required to + mark a host healthy. + format: int32 + type: integer + interval: + default: 30 + description: Interval is the time between health check attempts + in seconds. + format: int32 + type: integer + timeout: + default: 1 + description: Timeout is the time to wait for a health check response. + If the timeout is reached the health check attempt will be considered + a failure. + format: int32 + type: integer + unhealthyThreshold: + default: 2 + description: UnhealthyThreshold is the number of consecutive health + check failures required before a backend is marked unhealthy. + format: int32 + type: integer + type: object + protocol: + default: http + description: Protocol defines the backend protocol + enum: + - http + - https + - ws + - wss + type: string + retry: + description: Retry configuration for the backend + properties: + baseIntervalMillis: + default: 25 + description: BaseIntervalMillis is exponential retry back off + and it defines the base interval between retries in milliseconds. + maximum interval is 10 times of the BaseIntervalMillis + format: int32 + minimum: 1 + type: integer + count: + default: 1 + description: Count defines the number of retries. If exceeded, + TooEarly(425 response code) response will be sent to the client. format: int32 type: integer + statusCodes: + description: StatusCodes defines the list of status codes to retry + items: + format: int32 + type: integer + type: array required: - - host - - port + - count type: object - maxItems: 1 - minItems: 1 - type: array - timeout: - description: Timeout configuration for the backend - properties: - downstreamRequestIdleTimeout: - default: 300 - description: DownstreamRequestIdleTimeout bounds the amount of - time the request's stream may be idle. A value of 0 will completely - disable the route's idle timeout. - format: int32 - type: integer - upstreamResponseTimeout: - default: 15 - description: UpstreamResponseTimeout spans between the point at - which the entire downstream request (i.e. end-of-stream) has - been processed and when the upstream response has been completely - processed. A value of 0 will disable the route’s timeout. - format: int32 - type: integer - required: - - upstreamResponseTimeout - type: object - tls: - description: TLS defines the TLS configurations of the backend - properties: - allowedSANs: - description: AllowedCNs is the list of allowed Subject Alternative - Names (SANs) - items: - type: string - type: array - certificateInline: - description: CertificateInline is the Inline Certificate entry - type: string - configMapRef: - description: ConfigMapRef denotes the reference to the ConfigMap - that contains the Certificate + security: + description: Security defines the security configurations of the backend + properties: + basic: + description: Basic security configuration + properties: + secretRef: + description: SecretRef to credentials + properties: + name: + description: Name of the secret + minLength: 1 + type: string + passwordKey: + description: Key of the secret + minLength: 1 + type: string + usernameKey: + description: Namespace of the secret + minLength: 1 + type: string + required: + - name + - passwordKey + - usernameKey + type: object + required: + - secretRef + type: object + type: object + services: + description: Services holds hosts and ports + items: + description: Service holds host and port information for the service properties: - key: - description: Key of the secret or configmap - minLength: 1 - type: string - name: - description: Name of the secret or configmap + host: + description: Host is the hostname of the service minLength: 1 type: string + port: + description: Port of the service + format: int32 + type: integer required: - - key - - name + - host + - port type: object - secretRef: - description: SecretRef denotes the reference to the Secret that - contains the Certificate - properties: - key: - description: Key of the secret or configmap - minLength: 1 + maxItems: 1 + minItems: 1 + type: array + timeout: + description: Timeout configuration for the backend + properties: + downstreamRequestIdleTimeout: + default: 300 + description: DownstreamRequestIdleTimeout bounds the amount of + time the request's stream may be idle. A value of 0 will completely + disable the route's idle timeout. + format: int32 + type: integer + upstreamResponseTimeout: + default: 15 + description: UpstreamResponseTimeout spans between the point at + which the entire downstream request (i.e. end-of-stream) has + been processed and when the upstream response has been completely + processed. A value of 0 will disable the route’s timeout. + format: int32 + type: integer + required: + - upstreamResponseTimeout + type: object + tls: + description: TLS defines the TLS configurations of the backend + properties: + allowedSANs: + description: AllowedCNs is the list of allowed Subject Alternative + Names (SANs) + items: type: string - name: - description: Name of the secret or configmap + type: array + certificateInline: + description: CertificateInline is the Inline Certificate entry + type: string + configMapRef: + description: ConfigMapRef denotes the reference to the ConfigMap + that contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + secretRef: + description: SecretRef denotes the reference to the Secret that + contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + type: object + type: object + status: + description: BackendStatus defines the observed state of Backend + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha2 + schema: + openAPIV3Schema: + description: Backend is the Schema for the backends API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackendSpec defines the desired state of Backend + properties: + basePath: + description: BasePath defines the base path of the backend + type: string + circuitBreaker: + description: CircuitBreaker defines the circuit breaker configurations + properties: + maxConnectionPools: + description: MaxConnectionPools is the maximum number of parallel + connection pools that will allow to the upstream cluster. If + not specified, the default is unlimited. + format: int32 + minimum: 1 + type: integer + maxConnections: + default: 1024 + description: MaxConnections is the maximum number of connections + that will make to the upstream cluster. + format: int32 + type: integer + maxPendingRequests: + default: 1024 + description: MaxPendingRequests is the maximum number of pending + requests that will allow to the upstream cluster. + format: int32 + type: integer + maxRequests: + default: 1024 + description: MaxRequests is the maximum number of parallel requests + that will make to the upstream cluster. + format: int32 + type: integer + maxRetries: + default: 3 + description: MaxRetries is the maximum number of parallel retries + that will allow to the upstream cluster. + format: int32 + type: integer + type: object + healthCheck: + description: HealthCheck configuration for the backend tcp health + check + properties: + healthyThreshold: + default: 2 + description: HealthyThreshold is the number of healthy health + checks required before a host is marked healthy. Note that during + startup, only a single successful health check is required to + mark a host healthy. + format: int32 + type: integer + interval: + default: 30 + description: Interval is the time between health check attempts + in seconds. + format: int32 + type: integer + timeout: + default: 1 + description: Timeout is the time to wait for a health check response. + If the timeout is reached the health check attempt will be considered + a failure. + format: int32 + type: integer + unhealthyThreshold: + default: 2 + description: UnhealthyThreshold is the number of consecutive health + check failures required before a backend is marked unhealthy. + format: int32 + type: integer + type: object + protocol: + default: http + description: Protocol defines the backend protocol + enum: + - http + - https + - ws + - wss + type: string + retry: + description: Retry configuration for the backend + properties: + baseIntervalMillis: + default: 25 + description: BaseIntervalMillis is exponential retry back off + and it defines the base interval between retries in milliseconds. + maximum interval is 10 times of the BaseIntervalMillis + format: int32 + minimum: 1 + type: integer + count: + default: 1 + description: Count defines the number of retries. If exceeded, + TooEarly(425 response code) response will be sent to the client. + format: int32 + type: integer + statusCodes: + description: StatusCodes defines the list of status codes to retry + items: + format: int32 + type: integer + type: array + required: + - count + type: object + security: + description: Security defines the security configurations of the backend + properties: + apiKey: + description: APIKey security configuration + properties: + in: + description: In is to specify how the APIKey is passed to + the request + enum: + - Header + - Query + minLength: 1 + type: string + name: + description: Name is the name of the header or query parameter + to be used + minLength: 1 + type: string + valueFrom: + description: ValueRef to value + properties: + name: + description: Name of the secret + minLength: 1 + type: string + valueKey: + description: Field Key of the APIKey + minLength: 1 + type: string + required: + - name + - valueKey + type: object + required: + - valueFrom + type: object + basic: + description: Basic security configuration + properties: + secretRef: + description: SecretRef to credentials + properties: + name: + description: Name of the secret + minLength: 1 + type: string + passwordKey: + description: Password Key of the secret + minLength: 1 + type: string + usernameKey: + description: Username Key value + minLength: 1 + type: string + required: + - name + - passwordKey + - usernameKey + type: object + required: + - secretRef + type: object + type: object + services: + description: Services holds hosts and ports + items: + description: Service holds host and port information for the service + properties: + host: + description: Host is the hostname of the service minLength: 1 type: string + port: + description: Port of the service + format: int32 + type: integer required: - - key - - name + - host + - port type: object - type: object - type: object - status: - description: BackendStatus defines the observed state of Backend - type: object - type: object - served: true - storage: true - subresources: - status: {} + maxItems: 1 + minItems: 1 + type: array + timeout: + description: Timeout configuration for the backend + properties: + downstreamRequestIdleTimeout: + default: 300 + description: DownstreamRequestIdleTimeout bounds the amount of + time the request's stream may be idle. A value of 0 will completely + disable the route's idle timeout. + format: int32 + type: integer + upstreamResponseTimeout: + default: 15 + description: UpstreamResponseTimeout spans between the point at + which the entire downstream request (i.e. end-of-stream) has + been processed and when the upstream response has been completely + processed. A value of 0 will disable the route’s timeout. + format: int32 + type: integer + required: + - upstreamResponseTimeout + type: object + tls: + description: TLS defines the TLS configurations of the backend + properties: + allowedSANs: + description: AllowedCNs is the list of allowed Subject Alternative + Names (SANs) + items: + type: string + type: array + certificateInline: + description: CertificateInline is the Inline Certificate entry + type: string + configMapRef: + description: ConfigMapRef denotes the reference to the ConfigMap + that contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + secretRef: + description: SecretRef denotes the reference to the Secret that + contains the Certificate + properties: + key: + description: Key of the secret or configmap + minLength: 1 + type: string + name: + description: Name of the secret or configmap + minLength: 1 + type: string + required: + - key + - name + type: object + type: object + type: object + status: + description: BackendStatus defines the observed state of Backend + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml b/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml index c78bba486..d2e7f033b 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-generator-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.configdeployer.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-config-generator-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/data-plane/gateway-components/common-controller/api/notification-api.yaml b/helm-charts/templates/data-plane/gateway-components/common-controller/api/notification-api.yaml index c9cc6f773..04fd5e4a1 100644 --- a/helm-charts/templates/data-plane/gateway-components/common-controller/api/notification-api.yaml +++ b/helm-charts/templates/data-plane/gateway-components/common-controller/api/notification-api.yaml @@ -38,7 +38,7 @@ spec: systemAPI: true --- kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-notification-api-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml index 0fa07ae31..d25802599 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/jwks-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-jwks-endpoint-ds-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml b/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml index 4ace790f6..6ac4f6c65 100644 --- a/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml +++ b/helm-charts/templates/idp/authenticationEndpoint-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-authentication-endpoint-ds-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml b/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml index 0e3576f86..78d578e8f 100644 --- a/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml +++ b/helm-charts/templates/idp/commonoauth-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-commonoauth-ds-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/dcr-domain-api-backend.yaml b/helm-charts/templates/idp/dcr-domain-api-backend.yaml index cb21604ff..66c53b762 100644 --- a/helm-charts/templates/idp/dcr-domain-api-backend.yaml +++ b/helm-charts/templates/idp/dcr-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-dcr-ds-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml b/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml index 6667596eb..c4e9852a0 100644 --- a/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml +++ b/helm-charts/templates/idp/idp-ui/idp-ui-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-idp-ui-backend namespace: {{ .Release.Namespace }} diff --git a/helm-charts/templates/idp/oauth-domain-api-backend.yaml b/helm-charts/templates/idp/oauth-domain-api-backend.yaml index 06078af08..f18b2b1a5 100644 --- a/helm-charts/templates/idp/oauth-domain-api-backend.yaml +++ b/helm-charts/templates/idp/oauth-domain-api-backend.yaml @@ -15,7 +15,7 @@ # under the License. {{- if .Values.idp.enabled }} kind: "Backend" -apiVersion: "dp.wso2.com/v1alpha1" +apiVersion: "dp.wso2.com/v1alpha2" metadata: name: {{ template "apk-helm.resource.prefix" . }}-oauth-ds-backend namespace: {{ .Release.Namespace }} diff --git a/test/apim-apk-agent-test/cucumber-tests/CRs/artifacts.yaml b/test/apim-apk-agent-test/cucumber-tests/CRs/artifacts.yaml index c6edf4187..aa3cac1cd 100644 --- a/test/apim-apk-agent-test/cucumber-tests/CRs/artifacts.yaml +++ b/test/apim-apk-agent-test/cucumber-tests/CRs/artifacts.yaml @@ -241,7 +241,7 @@ spec: kind: Gateway name: wso2-apk-default --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: interceptor-backend-v1 diff --git a/test/cucumber-tests/CRs/agent-artifacts.yaml b/test/cucumber-tests/CRs/agent-artifacts.yaml index 488360fb4..d758aa9f8 100644 --- a/test/cucumber-tests/CRs/agent-artifacts.yaml +++ b/test/cucumber-tests/CRs/agent-artifacts.yaml @@ -238,7 +238,7 @@ spec: kind: Gateway name: wso2-apk-default --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: interceptor-backend-v1 diff --git a/test/cucumber-tests/CRs/artifacts.yaml b/test/cucumber-tests/CRs/artifacts.yaml index cf592dad8..a1731fb90 100644 --- a/test/cucumber-tests/CRs/artifacts.yaml +++ b/test/cucumber-tests/CRs/artifacts.yaml @@ -238,7 +238,7 @@ spec: kind: Gateway name: wso2-apk-default --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: interceptor-backend-v1 diff --git a/test/integration/integration/tests/backend-api-key-security.go b/test/integration/integration/tests/backend-api-key-security.go new file mode 100644 index 000000000..7fde8681e --- /dev/null +++ b/test/integration/integration/tests/backend-api-key-security.go @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package tests + +import ( + "testing" + + "github.com/wso2/apk/test/integration/integration/utils/http" + "github.com/wso2/apk/test/integration/integration/utils/suite" +) + +func init() { + IntegrationTests = append(IntegrationTests, BackendAPIKeySecurity) +} + +// BackendAPIKeySecurity test +var BackendAPIKeySecurity = suite.IntegrationTest{ + ShortName: "BackendAPIKeySecurity", + Description: "An API with backend API Key Security", + Manifests: []string{"tests/backend-api-key-security.yaml"}, + Test: func(t *testing.T, suite *suite.IntegrationTestSuite) { + ns := "gateway-integration-test-infra" + gwAddr := "backend-api-key-security.test.gw.wso2.com:9095" + token := http.GetTestToken(t) + + testCases := []http.ExpectedResponse{ + { + Request: http.Request{ + Host: "backend-api-key-security.test.gw.wso2.com", + Path: "/apikey-security-backend/1.0.0/chat/completions", + }, + BackendSetResponseHeaders: map[string]string{ + "Some-Other-Header": "val", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/chat/completions", + Headers: map[string]string{ + "api-key": "sampath", + }, + }, + }, + Response: http.Response{StatusCode: 200}, + Backend: "infra-backend-v1", + Namespace: ns, + }, + } + + for i := range testCases { + tc := testCases[i] + tc.Request.Headers = http.AddBearerTokenToHeader(token, tc.Request.Headers) + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} diff --git a/test/integration/integration/tests/resources/tests/all-http-methods-for-wildcard.yaml b/test/integration/integration/tests/resources/tests/all-http-methods-for-wildcard.yaml index fdbe8313d..2e34fab92 100644 --- a/test/integration/integration/tests/resources/tests/all-http-methods-for-wildcard.yaml +++ b/test/integration/integration/tests/resources/tests/all-http-methods-for-wildcard.yaml @@ -55,7 +55,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-different-listener.yaml b/test/integration/integration/tests/resources/tests/api-different-listener.yaml index b8c03f24f..829c5c55e 100644 --- a/test/integration/integration/tests/resources/tests/api-different-listener.yaml +++ b/test/integration/integration/tests/resources/tests/api-different-listener.yaml @@ -61,7 +61,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-policy-with-jwt-generator.yaml b/test/integration/integration/tests/resources/tests/api-policy-with-jwt-generator.yaml index bbc22ce45..4ae6e827e 100644 --- a/test/integration/integration/tests/resources/tests/api-policy-with-jwt-generator.yaml +++ b/test/integration/integration/tests/resources/tests/api-policy-with-jwt-generator.yaml @@ -79,7 +79,7 @@ spec: signingAlgorithm: "SHA256withRSA" header: "X-JWT-Assertion" --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-with-backend-base-path.yaml b/test/integration/integration/tests/resources/tests/api-with-backend-base-path.yaml index 9fb505524..7f8905d4a 100644 --- a/test/integration/integration/tests/resources/tests/api-with-backend-base-path.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-backend-base-path.yaml @@ -14,7 +14,7 @@ # specific language governing permissions and limitations # under the License. -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-basepath diff --git a/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml b/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml index 9832ffc2a..09f80a2ce 100644 --- a/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-cors-policy.yaml @@ -130,7 +130,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-with-operational-policy.yaml b/test/integration/integration/tests/resources/tests/api-with-operational-policy.yaml index 6d350c3b8..e444e8271 100644 --- a/test/integration/integration/tests/resources/tests/api-with-operational-policy.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-operational-policy.yaml @@ -81,7 +81,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-with-path-params.yaml b/test/integration/integration/tests/resources/tests/api-with-path-params.yaml index e4e1e053a..962c1c9ec 100644 --- a/test/integration/integration/tests/resources/tests/api-with-path-params.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-path-params.yaml @@ -62,7 +62,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-with-request-header-modify.yaml b/test/integration/integration/tests/resources/tests/api-with-request-header-modify.yaml index d045c275e..1239dae38 100644 --- a/test/integration/integration/tests/resources/tests/api-with-request-header-modify.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-request-header-modify.yaml @@ -76,7 +76,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-with-response-header-modify.yaml b/test/integration/integration/tests/resources/tests/api-with-response-header-modify.yaml index 6596cd0cd..398e6f502 100644 --- a/test/integration/integration/tests/resources/tests/api-with-response-header-modify.yaml +++ b/test/integration/integration/tests/resources/tests/api-with-response-header-modify.yaml @@ -89,7 +89,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/api-without-backend-base-path.yaml b/test/integration/integration/tests/resources/tests/api-without-backend-base-path.yaml index 2353d1ee4..9926a42d5 100644 --- a/test/integration/integration/tests/resources/tests/api-without-backend-base-path.yaml +++ b/test/integration/integration/tests/resources/tests/api-without-backend-base-path.yaml @@ -55,7 +55,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/backend-api-key-security.yaml b/test/integration/integration/tests/resources/tests/backend-api-key-security.yaml new file mode 100644 index 000000000..b28877edd --- /dev/null +++ b/test/integration/integration/tests/resources/tests/backend-api-key-security.yaml @@ -0,0 +1,89 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +apiVersion: dp.wso2.com/v1alpha2 +kind: API +metadata: + name: test-api-with-api-key-backend-security + namespace: gateway-integration-test-infra +spec: + apiName: API with API Key Backend Security + apiType: REST + apiVersion: 1.0.0 + basePath: /apikey-security-backend/1.0.0 + isDefaultVersion: true + #definitionFileRef: swagger-definition-webhook + production: + - routeRefs: + - test-api-with-api-key-backend-security-httproute + organization: wso2-org +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: test-api-with-api-key-backend-security-httproute + namespace: gateway-integration-test-infra +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: wso2-apk-default + namespace: apk-integration-test + sectionName: httpslistener + hostnames: + - backend-api-key-security.test.gw.wso2.com + rules: + - matches: + - path: + type: RegularExpression + value: /chat/completions + method: GET + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /chat/completions + backendRefs: + - group: dp.wso2.com + kind: Backend + name: infra-backend-v1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: mysecret + namespace: gateway-integration-test-infra +type: Opaque +data: + apiKey: c2FtcGF0aA== +--- +apiVersion: dp.wso2.com/v1alpha2 +kind: Backend +metadata: + name: infra-backend-v1 + namespace: gateway-integration-test-infra +spec: + services: + - host: infra-backend-v1.gateway-integration-test-infra + port: 8080 + security: + apiKey: + in: Header + name: api-key + valueFrom: + name: mysecret + valueKey: apiKey diff --git a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml index 3f602c0b0..f5a27cdcb 100644 --- a/test/integration/integration/tests/resources/tests/custom-auth-header.yaml +++ b/test/integration/integration/tests/resources/tests/custom-auth-header.yaml @@ -76,7 +76,7 @@ spec: namespace: gateway-integration-test-infra name: custom-auth-header --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/custom-policy-ratelimiting.yaml b/test/integration/integration/tests/resources/tests/custom-policy-ratelimiting.yaml index 751228c0e..8a18d9d32 100644 --- a/test/integration/integration/tests/resources/tests/custom-policy-ratelimiting.yaml +++ b/test/integration/integration/tests/resources/tests/custom-policy-ratelimiting.yaml @@ -118,7 +118,7 @@ spec: type: ReplacePrefixMatch replacePrefixMatch: /post --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/default-api-version-ratelimit.yaml b/test/integration/integration/tests/resources/tests/default-api-version-ratelimit.yaml index 3a9b9a5db..341ea6665 100644 --- a/test/integration/integration/tests/resources/tests/default-api-version-ratelimit.yaml +++ b/test/integration/integration/tests/resources/tests/default-api-version-ratelimit.yaml @@ -70,7 +70,7 @@ spec: name: default-api-version-ratelimit group: gateway.networking.k8s.io --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/default-api-version.yaml b/test/integration/integration/tests/resources/tests/default-api-version.yaml index b63875b0f..c1b44e698 100644 --- a/test/integration/integration/tests/resources/tests/default-api-version.yaml +++ b/test/integration/integration/tests/resources/tests/default-api-version.yaml @@ -55,7 +55,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/different-endpoint-with-same-route.yaml b/test/integration/integration/tests/resources/tests/different-endpoint-with-same-route.yaml index a7bda1ef9..b99241f99 100644 --- a/test/integration/integration/tests/resources/tests/different-endpoint-with-same-route.yaml +++ b/test/integration/integration/tests/resources/tests/different-endpoint-with-same-route.yaml @@ -65,7 +65,7 @@ spec: kind: Backend name: infra-backend-v2 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 @@ -75,7 +75,7 @@ spec: - host: infra-backend-v1.gateway-integration-test-infra port: 8080 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v2 diff --git a/test/integration/integration/tests/resources/tests/disable-api-level-jwt.yaml b/test/integration/integration/tests/resources/tests/disable-api-level-jwt.yaml index 646c908f8..6d37cb7b8 100644 --- a/test/integration/integration/tests/resources/tests/disable-api-level-jwt.yaml +++ b/test/integration/integration/tests/resources/tests/disable-api-level-jwt.yaml @@ -136,7 +136,7 @@ spec: namespace: gateway-integration-test-infra name: disable-api-level-jwt1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/disable-api-level-security.yaml b/test/integration/integration/tests/resources/tests/disable-api-level-security.yaml index fd4558e0b..0ad9894d1 100644 --- a/test/integration/integration/tests/resources/tests/disable-api-level-security.yaml +++ b/test/integration/integration/tests/resources/tests/disable-api-level-security.yaml @@ -79,7 +79,7 @@ spec: namespace: gateway-integration-test-infra name: disable-api-security --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/disable-resource-level-jwt.yaml b/test/integration/integration/tests/resources/tests/disable-resource-level-jwt.yaml index f7459d308..b29a6207f 100644 --- a/test/integration/integration/tests/resources/tests/disable-resource-level-jwt.yaml +++ b/test/integration/integration/tests/resources/tests/disable-resource-level-jwt.yaml @@ -148,7 +148,7 @@ spec: group: gateway.networking.k8s.io namespace: gateway-integration-test-infra --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/disable-resource-level-security.yaml b/test/integration/integration/tests/resources/tests/disable-resource-level-security.yaml index bd66d7241..71c706d10 100644 --- a/test/integration/integration/tests/resources/tests/disable-resource-level-security.yaml +++ b/test/integration/integration/tests/resources/tests/disable-resource-level-security.yaml @@ -85,7 +85,7 @@ spec: namespace: gateway-integration-test-infra name: disable-resoruce-security --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/fetch-api-definition.yaml b/test/integration/integration/tests/resources/tests/fetch-api-definition.yaml index 97e5a1d79..04d3d8ef6 100644 --- a/test/integration/integration/tests/resources/tests/fetch-api-definition.yaml +++ b/test/integration/integration/tests/resources/tests/fetch-api-definition.yaml @@ -69,7 +69,7 @@ metadata: binaryData: definition: H4sIAAAAAAAAAMVRPU/EMAz9K8gjun7csXVjRAyHhI4F3RCl7tVSmkSJe3BU/e/YqWBlJENs+dnvPektECJ6Ewk6eKjbeg+7OyA/BOgWYGKHAjBmfnx5eivgFVOm4GW8l/0WVplltHMivkH3vkCPg5kdS39ezwJGw2NWuuZe/wuyloQ5Bp+xIIe21dJjtokib/THZ1j/JP+szMxjxbcoRjnNWGY8psDsyF8qJkxCdvKOJmLsi98Y8j+bKKQ2TCKPnov+j8SrHXHaLP0KSRaFHIIqHTSHwYWPskRTdGSpbCkaEn0ZtX9KTi5G5pi7ptEQa1HU22wldT1et/cNLrti+gYCAAA= --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/fetch-non-existing-api-definition.yaml b/test/integration/integration/tests/resources/tests/fetch-non-existing-api-definition.yaml index eb25ac95a..a1ce6f781 100644 --- a/test/integration/integration/tests/resources/tests/fetch-non-existing-api-definition.yaml +++ b/test/integration/integration/tests/resources/tests/fetch-non-existing-api-definition.yaml @@ -59,7 +59,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/gql-api.yaml b/test/integration/integration/tests/resources/tests/gql-api.yaml index 224dfba25..c5ac136d1 100644 --- a/test/integration/integration/tests/resources/tests/gql-api.yaml +++ b/test/integration/integration/tests/resources/tests/gql-api.yaml @@ -94,7 +94,7 @@ spec: namespace: gateway-integration-test-infra name: gql-api --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: gql-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml index d290af4fe..d62ed1641 100644 --- a/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml +++ b/test/integration/integration/tests/resources/tests/jwt-api-level-security.yaml @@ -72,7 +72,7 @@ spec: namespace: gateway-integration-test-infra name: api-level-jwt --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/multiple_port_listener.yaml b/test/integration/integration/tests/resources/tests/multiple_port_listener.yaml index 8dd1e4b96..a9d49886d 100644 --- a/test/integration/integration/tests/resources/tests/multiple_port_listener.yaml +++ b/test/integration/integration/tests/resources/tests/multiple_port_listener.yaml @@ -77,7 +77,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/prod-and-sand-apis.yaml b/test/integration/integration/tests/resources/tests/prod-and-sand-apis.yaml index ea64ac22d..3391abd98 100644 --- a/test/integration/integration/tests/resources/tests/prod-and-sand-apis.yaml +++ b/test/integration/integration/tests/resources/tests/prod-and-sand-apis.yaml @@ -95,7 +95,7 @@ spec: namespace: gateway-integration-test-infra name: prod-and-sand-apis --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 @@ -105,7 +105,7 @@ spec: - host: infra-backend-v1.gateway-integration-test-infra port: 8080 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v2 diff --git a/test/integration/integration/tests/resources/tests/ratelimit-priority.yaml b/test/integration/integration/tests/resources/tests/ratelimit-priority.yaml index 819f5eac1..5c7617608 100644 --- a/test/integration/integration/tests/resources/tests/ratelimit-priority.yaml +++ b/test/integration/integration/tests/resources/tests/ratelimit-priority.yaml @@ -69,7 +69,7 @@ spec: kind: RateLimitPolicy name: ratelimitter-r1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/resource-scopes.yaml b/test/integration/integration/tests/resources/tests/resource-scopes.yaml index d0b5908ab..b2a4444a4 100644 --- a/test/integration/integration/tests/resources/tests/resource-scopes.yaml +++ b/test/integration/integration/tests/resources/tests/resource-scopes.yaml @@ -86,7 +86,7 @@ spec: - read:pets - write:pets --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/trailing-slash.yaml b/test/integration/integration/tests/resources/tests/trailing-slash.yaml index 1b9bcd09d..eea7d2c91 100644 --- a/test/integration/integration/tests/resources/tests/trailing-slash.yaml +++ b/test/integration/integration/tests/resources/tests/trailing-slash.yaml @@ -166,7 +166,7 @@ spec: kind: Backend name: infra-backend-v1 --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/integration/tests/resources/tests/verify-old-apis.yaml b/test/integration/integration/tests/resources/tests/verify-old-apis.yaml index 0fa9a363d..2b5e1af60 100644 --- a/test/integration/integration/tests/resources/tests/verify-old-apis.yaml +++ b/test/integration/integration/tests/resources/tests/verify-old-apis.yaml @@ -69,7 +69,7 @@ spec: namespace: gateway-integration-test-infra name: prod-and-sand-apis --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: infra-backend-v1 diff --git a/test/integration/scripts/run-tests.sh b/test/integration/scripts/run-tests.sh index 7a50bd056..4bda1c590 100644 --- a/test/integration/scripts/run-tests.sh +++ b/test/integration/scripts/run-tests.sh @@ -77,6 +77,7 @@ sudo echo "$IP disable-resource-level-jwt2.test.gw.wso2.com" | sudo tee -a /etc/ sudo echo "$IP default-api-version-ratelimit-resource-level.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP backend-api-key-security.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts diff --git a/test/integration/scripts/setup-hosts.sh b/test/integration/scripts/setup-hosts.sh index 7ff4ff8af..8e68ef076 100644 --- a/test/integration/scripts/setup-hosts.sh +++ b/test/integration/scripts/setup-hosts.sh @@ -36,6 +36,7 @@ sudo echo "$IP disable-resource-level-jwt2.test.gw.wso2.com" | sudo tee -a /etc/ sudo echo "$IP default-api-version-ratelimit-resource-level.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP ratelimit-priority.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP different-endpoint-with-same-route.test.gw.wso2.com" | sudo tee -a /etc/hosts +sudo echo "$IP backend-api-key-security.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP custom-auth-header.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP gql.test.gw.wso2.com" | sudo tee -a /etc/hosts sudo echo "$IP api-level-jwt.test.gw.wso2.com" | sudo tee -a /etc/hosts diff --git a/test/k8s-resources/gw-interceptor.yaml b/test/k8s-resources/gw-interceptor.yaml index 27cd13b7b..42d47c02e 100644 --- a/test/k8s-resources/gw-interceptor.yaml +++ b/test/k8s-resources/gw-interceptor.yaml @@ -14,7 +14,7 @@ spec: kind: Gateway name: wso2-apk-default --- -apiVersion: dp.wso2.com/v1alpha1 +apiVersion: dp.wso2.com/v1alpha2 kind: Backend metadata: name: interceptor-backend-v1