From 2f72f00eef132efe589d2f4743cbedba11c12477 Mon Sep 17 00:00:00 2001
From: Wenhao Li <liwenhao@google.com>
Date: Sun, 3 Oct 2021 20:17:50 +0000
Subject: [PATCH] add kpt setters and proxy support

---
 README.md                             | 25 +++++++++++++++++++++++++
 pkg/Kptfile                           | 21 ++++++++++++++-------
 pkg/README.md                         |  9 ---------
 pkg/asm_user_auth_config_v1beta1.yaml |  6 +++++-
 pkg/configmap.yaml                    |  2 ++
 pkg/deployment.yaml                   |  6 +++++-
 pkg/gateway.yaml                      |  2 +-
 pkg/user_auth_config.yaml             |  5 +++--
 samples/httpbin-authz.yaml            |  1 -
 samples/rctoken-authz.yaml            |  2 --
 10 files changed, 55 insertions(+), 24 deletions(-)
 delete mode 100644 pkg/README.md

diff --git a/README.md b/README.md
index 8811d0e..ab92de4 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,28 @@
 # ASM User Auth
 
 This repository contains the ASM User Auth deployment for Anthos service mesh.
+
+## Release Notes
+
+*   release-1.1
+
+    +   v1.1.0
+        -   Upgraded kpt to v1.0.
+        -   Added the `proxy` field in the UserAuthConfig for http proxy
+            support.
+        -   Fixed a bug of the `certificateAuthorityData` field in the
+            UserAuthConfig not working correctly.
+
+*   release-1.0
+
+    -   GA Launch.
+    -   Store client credentials in K8s secret.
+
+*   release-0.1
+
+    -   Preview Launch.
+
+## User Guide
+
+* [kpt pkg guide](./pkg/README.md)
+* [User Auth User Guide](https://cloud.google.com/service-mesh/docs/security/end-user-auth)
diff --git a/pkg/Kptfile b/pkg/Kptfile
index 7f6e27d..0697f63 100644
--- a/pkg/Kptfile
+++ b/pkg/Kptfile
@@ -10,14 +10,13 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.image
-          value: gcr.io/gke-release/ais:hybrid_identity_charon_20210629_RC00
+          value: gcr.io/gke-release/ais:1.0.1
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID:
       description: The OAuth2 client ID for OIDC authentication.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.clientID
           value: your-oidc-client-id
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret:
       description: The OAuth2 client secret for OIDC authentication.
       x-k8s-cli:
@@ -30,21 +29,18 @@ openAPI:
         setter:
           name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name
           value: oauth-secret
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace:
       description: Namespace of the Kubernetes secret contains OAuth2 client credential for OIDC authentication.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace
           value: asm-user-auth
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI:
       description: The OIDC identity provider issuer URI.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.issuerURI
           value: your-oidc-issuer-uri
-          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost:
       description: The redirect URI host name for OIDC.
       x-k8s-cli:
@@ -57,5 +53,16 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.redirectURIPath
-          value: "/_gcp_asm/authenticate"
-          isSet: true
+          value: "/_gcp_asm_authenticate"
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.certificateAuthorityData:
+      description: Base64 encoded pem format CA root cert for IDP.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.certificateAuthorityData
+          value: ""
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.proxy:
+      description: Optional proxy for the IDP.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.proxy
+          value: ""
diff --git a/pkg/README.md b/pkg/README.md
deleted file mode 100644
index c801a4c..0000000
--- a/pkg/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# ASM USer Auth Kpt package
-
-## SYNOPSIS
-
-kubectl apply --recursive -f pkg/
-
-## Description
-
-Kpt package for ASM User Auth.
diff --git a/pkg/asm_user_auth_config_v1beta1.yaml b/pkg/asm_user_auth_config_v1beta1.yaml
index 5a34962..3295b72 100644
--- a/pkg/asm_user_auth_config_v1beta1.yaml
+++ b/pkg/asm_user_auth_config_v1beta1.yaml
@@ -69,6 +69,10 @@ spec:
                         description: The issuer in the idtoken issued by OIDC provider.
                           This will be used to validate the idtoken.
                         type: string
+                      proxy:
+                        description: 'Proxy server to use for the auth method, if applicable.
+                          For example: http://user:password@10.10.10.10:8888.'
+                        type: string
                       redirectURIHost:
                         description: The host to be used for OAuth termination URI. If not present
                           the host from the target URL will be used. This value can be utilized
@@ -85,7 +89,7 @@ spec:
                           be served from the same ingress as the application for a successful user auth
                           session. Note, this path will always terminate at user auth binary.
                         type: string
-                        default: "/_gcp_asm/authenticate"
+                        default: "/_gcp_asm_authenticate"
                     required:
                     - oauthCredentialsSecret
                     - issuerURI
diff --git a/pkg/configmap.yaml b/pkg/configmap.yaml
index 255c793..3b8f70f 100644
--- a/pkg/configmap.yaml
+++ b/pkg/configmap.yaml
@@ -17,6 +17,8 @@ data:
             port: 10003
           failure_mode_allow: false
           enable_plaintext_mode: true
+      authentication_plugin:
+        enabled: all
       input_plugin:
         session_cookie:
           aes_symmetric_key:
diff --git a/pkg/deployment.yaml b/pkg/deployment.yaml
index 8ae77b1..a2898c3 100644
--- a/pkg/deployment.yaml
+++ b/pkg/deployment.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
       - name: authservice
-        image: gcr.io/gke-release/ais:hybrid_identity_charon_20210629_RC00  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
+        image: gcr.io/gke-release/ais:1.0.1  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/ais
@@ -66,6 +66,8 @@ spec:
         - mountPath: /etc/config
           name: config-volume
           readOnly: true
+        - name: tmp
+          mountPath: /tmp
       volumes:
       - name: key-volume
         secret:
@@ -75,6 +77,8 @@ spec:
           defaultMode: 420
           name: user-auth-config
         name: config-volume
+      - name: tmp
+        emptyDir: {}
 ---
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
diff --git a/pkg/gateway.yaml b/pkg/gateway.yaml
index 8f7f527..9f190cd 100644
--- a/pkg/gateway.yaml
+++ b/pkg/gateway.yaml
@@ -35,7 +35,7 @@ spec:
     - uri:
         prefix: /status
     - uri:
-        prefix: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
+        prefix: "/_gcp_asm_authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
     name: user-auth-route
     route:
     - destination:
diff --git a/pkg/user_auth_config.yaml b/pkg/user_auth_config.yaml
index 5ff2850..9da5c60 100644
--- a/pkg/user_auth_config.yaml
+++ b/pkg/user_auth_config.yaml
@@ -6,11 +6,12 @@ metadata:
 spec:
   authentication:
     oidc:
-      certificateAuthorityData: ""
+      certificateAuthorityData: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.certificateAuthorityData"}
       oauthCredentialsSecret:
         name: "oauth-secret"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"}
         namespace: "asm-user-auth"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"}
       issuerURI: "<your issuer uri>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"}
+      proxy: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.proxy"}
       redirectURIHost: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"}
-      redirectURIPath: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
+      redirectURIPath: "/_gcp_asm_authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
   outputJWTAudience: "test_audience"
diff --git a/samples/httpbin-authz.yaml b/samples/httpbin-authz.yaml
index 8218aff..fdd38c0 100644
--- a/samples/httpbin-authz.yaml
+++ b/samples/httpbin-authz.yaml
@@ -4,7 +4,6 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels:
diff --git a/samples/rctoken-authz.yaml b/samples/rctoken-authz.yaml
index 81887a1..5065e20 100644
--- a/samples/rctoken-authz.yaml
+++ b/samples/rctoken-authz.yaml
@@ -2,7 +2,6 @@ apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels:
@@ -20,7 +19,6 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-rc-token
-  namespace: istio-system
 spec:
   selector:
     matchLabels: