commit 8ead72aee69554705229abfd4cff2b96a8352f78
author ktimoney <kevin.timoney@est.tech> Tue Apr 12 15:10:10 2022 +0100
committer ktimoney <kevin.timoney@est.tech> Thu May 19 15:33:25 2022 +0100
tree 82987dcaa8a22d4ef6416eb325fb2db5b222ebd8
parent f27b51380a027ed907ad4038184621ac142245c9

Added x509 and jwt rapps

Change-Id: Ic384fcad11dcb63fe4265d3dbcff5ea17f933cfc

rapps/rapps-istio-mgr.go

diff --git a/rapps/rapps-istio-mgr.go b/rapps/rapps-istio-mgr.go
index 04189ce..93ed8bb 100644
--- a/rapps/rapps-istio-mgr.go
+++ b/rapps/rapps-istio-mgr.go
@@ -78,6 +78,14 @@
     jwksUri: "http://192.168.49.2:31560/auth/realms/REALM-NAME/protocol/openid-connect/certs"
   - issuer: "http://keycloak.default:8080/auth/realms/REALM-NAME"
     jwksUri: "http://keycloak.default:8080/auth/realms/REALM-NAME/protocol/openid-connect/certs"
+  - issuer: "https://192.168.49.2:31561/auth/realms/REALM-NAME"
+    jwksUri: "https://192.168.49.2:31561/auth/realms/REALM-NAME/protocol/openid-connect/certs"
+  - issuer: "https://keycloak.default:8443/auth/realms/REALM-NAME"
+    jwksUri: "https://keycloak.default:8443/auth/realms/REALM-NAME/protocol/openid-connect/certs"
+  - issuer: "https://keycloak.est.tech:443/auth/realms/REALM-NAME"
+    jwksUri: "https://keycloak.default:8443/auth/realms/REALM-NAME/protocol/openid-connect/certs"
+  - issuer: "http://istio-ingressgateway.istio-system:80/auth/realms/REALM-NAME"
+    jwksUri: "http://keycloak.default:8080/auth/realms/REALM-NAME/protocol/openid-connect/certs"
 `
 
 var authorizationPolicyManifest = `
@@ -94,11 +102,11 @@
   rules:
   - from:
     - source:
-        requestPrincipals: ["http://192.168.49.2:31560/auth/realms/REALM-NAME/", "http://keycloak.default:8080/auth/realms/REALM-NAME/"]
+        requestPrincipals: ["http://192.168.49.2:31560/auth/realms/REALM-NAME/", "http://keycloak.default:8080/auth/realms/REALM-NAME/", "https://192.168.49.2:31561/auth/realms/REALM-NAME/", "https://keycloak.default:8443/auth/realms/REALM-NAME/", "https://keycloak.est.tech:443/auth/realms/REALM-NAME/", "http://istio-ingressgateway.istio-system:80/auth/realms/REALM-NAME/"]
   - to:
     - operation:
         methods: ["METHOD-NAME"]
-        paths: ["/RAPP-NAME*"]
+        paths: ["/RAPP-NAME"]
     when:
     - key: request.auth.claims[clientRole]
       values: ["ROLE-NAME"]
@@ -133,11 +141,11 @@
 
 func createGateway(clientset *versioned.Clientset, appName string) (string, error) {
 	gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
-	gatewayManifest = strings.Replace(gatewayManifest, "RAPP-NAME", appName, -1)
-	gatewayManifest = strings.Replace(gatewayManifest, "RAPP-NS", NAMESPACE, -1)
+	manifest := strings.Replace(gatewayManifest, "RAPP-NAME", appName, -1)
+	manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
 
 	gt := &netv1beta1.Gateway{}
-	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(gatewayManifest)), 1000)
+	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
 
 	if err := dec.Decode(&gt); err != nil {
 		return "", err
@@ -155,11 +163,11 @@
 
 func createVirtualService(clientset *versioned.Clientset, appName string) (string, error) {
 	vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
-	virtualServiceManifest = strings.Replace(virtualServiceManifest, "RAPP-NAME", appName, -1)
-	virtualServiceManifest = strings.Replace(virtualServiceManifest, "RAPP-NS", NAMESPACE, -1)
+	manifest := strings.Replace(virtualServiceManifest, "RAPP-NAME", appName, -1)
+	manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
 
 	vs := &netv1beta1.VirtualService{}
-	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(virtualServiceManifest)), 1000)
+	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
 
 	if err := dec.Decode(&vs); err != nil {
 		return "", err
@@ -177,12 +185,12 @@
 
 func createRequestAuthentication(clientset *versioned.Clientset, appName, realmName string) (string, error) {
 	raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
-	requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "RAPP-NAME", appName, -1)
-	requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "REALM-NAME", realmName, -1)
-	requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "RAPP-NS", NAMESPACE, -1)
+	manifest := strings.Replace(requestAuthenticationManifest, "RAPP-NAME", appName, -1)
+	manifest = strings.Replace(manifest, "REALM-NAME", realmName, -1)
+	manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
 
 	ra := &secv1beta1.RequestAuthentication{}
-	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(requestAuthenticationManifest)), 1000)
+	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
 
 	if err := dec.Decode(&ra); err != nil {
 		return "", err
@@ -200,14 +208,14 @@
 
 func createAuthorizationPolicy(clientset *versioned.Clientset, appName, realmName, roleName, methodName string) (string, error) {
 	apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
-	authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "RAPP-NAME", appName, -1)
-	authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "REALM-NAME", realmName, -1)
-	authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "ROLE-NAME", roleName, -1)
-	authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "METHOD-NAME", methodName, -1)
-	authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "RAPP-NS", NAMESPACE, -1)
+	manifest := strings.Replace(authorizationPolicyManifest, "RAPP-NAME", appName, -1)
+	manifest = strings.Replace(manifest, "REALM-NAME", realmName, -1)
+	manifest = strings.Replace(manifest, "ROLE-NAME", roleName, -1)
+	manifest = strings.Replace(manifest, "METHOD-NAME", methodName, -1)
+	manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
 
 	ap := &secv1beta1.AuthorizationPolicy{}
-	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(authorizationPolicyManifest)), 1000)
+	dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
 
 	if err := dec.Decode(&ap); err != nil {
 		return "", err