Implement Istio http policy binding controller (#656)

* Implement Istio http policy binding controller * run update-codegen * address comments * fix error message
google · Mar 18, 2020 · 4383f6c · 4383f6c
1 parent fde4e2f
commit 4383f6c
Show file tree

Hide file tree

Showing 335 changed files with 54,772 additions and 98 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -95,6 +95,14 @@ required = [
   branch = "master"
   name = "golang.org/x/net"
 
+[[override]]
+  name = "istio.io/api"
+  version = "1.5.0"
+
+[[override]]
+  name = "istio.io/client-go"
+  version = "1.5.0"
+
 # Required for opencensus.
 [[override]]
   name = "github.com/census-instrumentation/opencensus-proto"

diff --git a/docs/examples/security/README.md b/docs/examples/security/README.md
@@ -0,0 +1 @@
+TODO
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
@@ -46,5 +46,17 @@ ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
   "pubsub:v1alpha1 messaging:v1alpha1 events:v1alpha1 duck:v1alpha1 security:v1alpha1" \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
 
+# Generate our own client for istio (otherwise injection won't work)
+${CODEGEN_PKG}/generate-groups.sh "client,informer,lister" \
+  github.com/google/knative-gcp/pkg/client/istio istio.io/client-go/pkg/apis \
+  "security:v1beta1" \
+  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
+
+# Knative Injection (for istio)
+${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
+  github.com/google/knative-gcp/pkg/client/istio istio.io/client-go/pkg/apis \
+  "security:v1beta1" \
+  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
+
 # Make sure our dependencies are up-to-date
 ${REPO_ROOT_DIR}/hack/update-deps.sh
diff --git a/pkg/apis/security/register.go b/pkg/apis/security/register.go
@@ -18,5 +18,18 @@ limitations under the License.
 package security
 
 const (
+	// GroupName is the API group name.
 	GroupName = "security.knative.dev"
+
+	// PolicyBindingClassAnnotationKey is the annotation key for policy binding class.
+	PolicyBindingClassAnnotationKey = GroupName + "/policybinding-class"
+
+	// AuthorizableAnnotationKey is the annotaion key for Authorizables.
+	AuthorizableAnnotationKey = GroupName + "/authorizableOn"
+
+	// SelfAuthorizableAnnotationValue is the annotation value if an object itself is an Authorizable.
+	SelfAuthorizableAnnotationValue = "self"
+
+	// IstioPolicyBindingClassValue is the binding class name for Istio implementation.
+	IstioPolicyBindingClassValue = "istio"
 )
diff --git a/pkg/apis/security/v1alpha1/common_lifecycle.go b/pkg/apis/security/v1alpha1/common_lifecycle.go
@@ -18,15 +18,11 @@ package v1alpha1
 
 import "knative.dev/pkg/apis"
 
-var policybindingCondSet = apis.NewLivingConditionSet(PolicyBindingClassCompatible)
+var policybindingCondSet = apis.NewLivingConditionSet()
 
 const (
 	// PolicyBindingConditionReady has status True when the binding is active.
 	PolicyBindingConditionReady = apis.ConditionReady
-
-	// PolicyBindingClassCompatible has status True if the binding spec is
-	// compatible with the specified binding class.
-	PolicyBindingClassCompatible apis.ConditionType = "BindingClassCompatible"
 )
 
 // GetCondition returns the condition currently associated with the given type, or nil.
@@ -73,15 +69,3 @@ func (pbs *PolicyBindingStatus) MarkBindingFailure(reason, messageFormat string,
 func (pbs *PolicyBindingStatus) MarkBindingAvailable() {
 	policybindingCondSet.Manage(pbs).MarkTrue(PolicyBindingConditionReady)
 }
-
-// MarkBindingClassCompatible marks the policy binding's class
-// compatible status to True.
-func (pbs *PolicyBindingStatus) MarkBindingClassCompatible() {
-	policybindingCondSet.Manage(pbs).MarkTrue(PolicyBindingClassCompatible)
-}
-
-// MarkBindingClassIncompatible marks the policy binding's class
-// compatible status to False.
-func (pbs *PolicyBindingStatus) MarkBindingClassIncompatible(reason, messageFormat string, messageA ...interface{}) {
-	policybindingCondSet.Manage(pbs).MarkFalse(PolicyBindingClassCompatible, reason, messageFormat, messageA...)
-}
diff --git a/pkg/apis/security/v1alpha1/common_lifecycle_test.go b/pkg/apis/security/v1alpha1/common_lifecycle_test.go
@@ -19,10 +19,7 @@ package v1alpha1
 import (
 	"testing"
 
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
 	corev1 "k8s.io/api/core/v1"
-	"knative.dev/pkg/apis"
 )
 
 func TestPolicyBindingStatusIsReady(t *testing.T) {
@@ -44,22 +41,11 @@ func TestPolicyBindingStatusIsReady(t *testing.T) {
 		}(),
 		wantConditionStatus: corev1.ConditionUnknown,
 		wantReady:           false,
-	}, {
-		name: "incomptiable binding class",
-		s: func() *PolicyBindingStatus {
-			s := &PolicyBindingStatus{}
-			s.InitializeConditions()
-			s.MarkBindingClassIncompatible("BindingClassIncompatible", "incompatible")
-			return s
-		}(),
-		wantConditionStatus: corev1.ConditionFalse,
-		wantReady:           false,
 	}, {
 		name: "binding failure",
 		s: func() *PolicyBindingStatus {
 			s := &PolicyBindingStatus{}
 			s.InitializeConditions()
-			s.MarkBindingClassCompatible()
 			s.MarkBindingFailure("BindingFailure", "failure")
 			return s
 		}(),
@@ -70,7 +56,6 @@ func TestPolicyBindingStatusIsReady(t *testing.T) {
 		s: func() *PolicyBindingStatus {
 			s := &PolicyBindingStatus{}
 			s.InitializeConditions()
-			s.MarkBindingClassCompatible()
 			s.MarkBindingAvailable()
 			return s
 		}(),
@@ -93,67 +78,3 @@ func TestPolicyBindingStatusIsReady(t *testing.T) {
 		})
 	}
 }
-
-func TestPolicyBindingStatusGetCondition(t *testing.T) {
-	cases := []struct {
-		name      string
-		s         *PolicyBindingStatus
-		condQuery apis.ConditionType
-		want      *apis.Condition
-	}{{
-		name:      "uninitialized",
-		s:         &PolicyBindingStatus{},
-		condQuery: PolicyBindingClassCompatible,
-		want:      nil,
-	}, {
-		name: "initialized",
-		s: func() *PolicyBindingStatus {
-			s := &PolicyBindingStatus{}
-			s.InitializeConditions()
-			return s
-		}(),
-		condQuery: PolicyBindingClassCompatible,
-		want: &apis.Condition{
-			Type:   PolicyBindingClassCompatible,
-			Status: corev1.ConditionUnknown,
-		},
-	}, {
-		name: "not ready",
-		s: func() *PolicyBindingStatus {
-			s := &PolicyBindingStatus{}
-			s.InitializeConditions()
-			s.MarkBindingClassIncompatible("Incompatible", "test message")
-			return s
-		}(),
-		condQuery: PolicyBindingClassCompatible,
-		want: &apis.Condition{
-			Type:    PolicyBindingClassCompatible,
-			Status:  corev1.ConditionFalse,
-			Reason:  "Incompatible",
-			Message: "test message",
-		},
-	}, {
-		name: "ready",
-		s: func() *PolicyBindingStatus {
-			s := &PolicyBindingStatus{}
-			s.InitializeConditions()
-			s.MarkBindingClassCompatible()
-			return s
-		}(),
-		condQuery: PolicyBindingClassCompatible,
-		want: &apis.Condition{
-			Type:   PolicyBindingClassCompatible,
-			Status: corev1.ConditionTrue,
-		},
-	}}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			got := tc.s.GetCondition(tc.condQuery)
-			ignoreTime := cmpopts.IgnoreFields(apis.Condition{},
-				"LastTransitionTime", "Severity")
-			if diff := cmp.Diff(tc.want, got, ignoreTime); diff != "" {
-				t.Errorf("unexpected condition (-want, +got) = %v", diff)
-			}
-		})
-	}
-}
diff --git a/pkg/apis/security/v1alpha1/common_types.go b/pkg/apis/security/v1alpha1/common_types.go
@@ -36,6 +36,23 @@ type StringMatch struct {
 	Presence bool `json:"presence,omitempty"`
 }
 
+// ToExpression returns the string expression of the string match.
+func (m *StringMatch) ToExpression() string {
+	if m.Exact != "" {
+		return m.Exact
+	}
+	if m.Prefix != "" {
+		return m.Prefix + "*"
+	}
+	if m.Suffix != "" {
+		return "*" + m.Suffix
+	}
+	if m.Presence {
+		return "*"
+	}
+	return ""
+}
+
 // KeyValuesMatch defines a key and a list of string matches for the key.
 type KeyValuesMatch struct {
 	// Key is a string which could be used to retrieve a value from somewhere.

diff --git a/pkg/apis/security/v1alpha1/common_types_test.go b/pkg/apis/security/v1alpha1/common_types_test.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2020 Google LLC.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "testing"
+
+func TestStringMatchToExpression(t *testing.T) {
+	cases := []struct {
+		name    string
+		m       StringMatch
+		wantExp string
+	}{{
+		name:    "exact",
+		m:       StringMatch{Exact: "foo"},
+		wantExp: "foo",
+	}, {
+		name:    "prefix",
+		m:       StringMatch{Prefix: "foo"},
+		wantExp: "foo*",
+	}, {
+		name:    "suffix",
+		m:       StringMatch{Suffix: "foo"},
+		wantExp: "*foo",
+	}, {
+		name:    "presence",
+		m:       StringMatch{Presence: true},
+		wantExp: "*",
+	}}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if gotExp := tc.m.ToExpression(); gotExp != tc.wantExp {
+				t.Errorf("StringMatch.ToExpression got=%s want=%s", gotExp, tc.wantExp)
+			}
+		})
+	}
+}