add kpt setters and proxy support

README.md

@@ -1,3 +1,28 @@
 # ASM User Auth
 
 This repository contains the ASM User Auth deployment for Anthos service mesh.
+
+## Release Notes
+
+*   release-1.1
+
+    +   v1.1.0
+        -   Upgraded kpt to v1.0.
+        -   Added the `proxy` field in the UserAuthConfig for http proxy
+            support.
+        -   Fixed a bug of the `certificateAuthorityData` field in the
+            UserAuthConfig not working correctly.
+
+*   release-1.0
+
+    -   GA Launch.
+    -   Store client credentials in K8s secret.
+
+*   release-0.1
+
+    -   Preview Launch.
+
+## User Guide
+
+* [kpt pkg guide](./pkg/README.md)
+* [User Auth User Guide](https://cloud.google.com/service-mesh/docs/security/end-user-auth)

pkg/Kptfile

@@ -10,14 +10,13 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.image
-          value: gcr.io/gke-release/ais:hybrid_identity_charon_20210629_RC00
+          value: gcr.io/gke-release/ais:1.0.1
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID:
       description: The OAuth2 client ID for OIDC authentication.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.clientID
           value: your-oidc-client-id
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret:
       description: The OAuth2 client secret for OIDC authentication.
       x-k8s-cli:
@@ -30,21 +29,18 @@ openAPI:
         setter:
           name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name
           value: oauth-secret
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace:
       description: Namespace of the Kubernetes secret contains OAuth2 client credential for OIDC authentication.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace
           value: asm-user-auth
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI:
       description: The OIDC identity provider issuer URI.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.issuerURI
           value: your-oidc-issuer-uri
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost:
       description: The redirect URI host name for OIDC.
       x-k8s-cli:
@@ -57,5 +53,16 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.redirectURIPath
-          value: "/_gcp_asm/authenticate"
-          isSet: true
+          value: "/_gcp_asm_authenticate"
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.certificateAuthorityData:
+      description: Base64 encoded pem format CA root cert for IDP.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.certificateAuthorityData
+          value: ""
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.proxy:
+      description: Optional proxy for the IDP.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.proxy
+          value: ""

pkg/asm_user_auth_config_v1beta1.yaml

@@ -69,6 +69,10 @@ spec:
                         description: The issuer in the idtoken issued by OIDC provider.
                           This will be used to validate the idtoken.
                         type: string
+                      proxy:
+                        description: 'Proxy server to use for the auth method, if applicable.
+                          For example: http://user:password@10.10.10.10:8888.'
+                        type: string
                       redirectURIHost:
                         description: The host to be used for OAuth termination URI. If not present
                           the host from the target URL will be used. This value can be utilized
@@ -85,7 +89,7 @@ spec:
                           be served from the same ingress as the application for a successful user auth
                           session. Note, this path will always terminate at user auth binary.
                         type: string
-                        default: "/_gcp_asm/authenticate"
+                        default: "/_gcp_asm_authenticate"
                     required:
                     - oauthCredentialsSecret
                     - issuerURI

pkg/configmap.yaml

@@ -17,6 +17,8 @@ data:
             port: 10003
           failure_mode_allow: false
           enable_plaintext_mode: true
+      authentication_plugin:
+        enabled: all
       input_plugin:
         session_cookie:
           aes_symmetric_key:

pkg/deployment.yaml

@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
       - name: authservice
-        image: gcr.io/gke-release/ais:hybrid_identity_charon_20210629_RC00  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
+        image: gcr.io/gke-release/ais:1.0.1  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/ais
@@ -66,6 +66,8 @@ spec:
         - mountPath: /etc/config
           name: config-volume
           readOnly: true
+        - name: tmp
+          mountPath: /tmp
       volumes:
       - name: key-volume
         secret:
@@ -75,6 +77,8 @@ spec:
           defaultMode: 420
           name: user-auth-config
         name: config-volume
+      - name: tmp
+        emptyDir: {}
 ---
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication

pkg/gateway.yaml

@@ -35,7 +35,7 @@ spec:
     - uri:
         prefix: /status
     - uri:
-        prefix: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
+        prefix: "/_gcp_asm_authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
     name: user-auth-route
     route:
     - destination:

pkg/user_auth_config.yaml

@@ -6,11 +6,12 @@ metadata:
 spec:
   authentication:
     oidc:
-      certificateAuthorityData: ""
+      certificateAuthorityData: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.certificateAuthorityData"}
       oauthCredentialsSecret:
         name: "oauth-secret"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"}
         namespace: "asm-user-auth"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"}
       issuerURI: "<your issuer uri>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"}
+      proxy: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.proxy"}
       redirectURIHost: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"}
-      redirectURIPath: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
+      redirectURIPath: "/_gcp_asm_authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
   outputJWTAudience: "test_audience"

samples/httpbin-authz.yaml

@@ -4,7 +4,6 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels:

samples/rctoken-authz.yaml

@@ -2,7 +2,6 @@ apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels:
@@ -20,7 +19,6 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels: