Added provider and invoker
Change-Id: I443b8b11a2304621109a9729473e05af8461f4f0
diff --git a/rapps/rapps-istio-mgr.go b/rapps/rapps-istio-mgr.go
index bcbbbeb..04189ce 100644
--- a/rapps/rapps-istio-mgr.go
+++ b/rapps/rapps-istio-mgr.go
@@ -15,18 +15,19 @@
"net/http"
"os"
"path/filepath"
+ "strings"
)
const (
NAMESPACE = "istio-nonrtric"
)
-const gatewayManifest = `
+var gatewayManifest = `
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
- name: nonrtric-istio-hw-gateway
- namespace: istio-nonrtric
+ name: nonrtric-istio-RAPP-NAME-gateway
+ namespace: RAPP-NS
spec:
selector:
istio: ingressgateway # use Istio gateway implementation
@@ -39,68 +40,68 @@
- "*"
`
-const virtualServiceManifest = `
+var virtualServiceManifest = `
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
- name: nonrtric-istio-hw-vs
- namespace: istio-nonrtric
+ name: nonrtric-istio-RAPP-NAME-vs
+ namespace: RAPP-NS
spec:
hosts:
- "*"
gateways:
- - nonrtric-istio-hw-gateway
+ - nonrtric-istio-RAPP-NAME-gateway
http:
- - name: "hello-world-routes"
+ - name: "RAPP-NAME-routes"
match:
- uri:
- prefix: "/hello-world"
+ prefix: "/RAPP-NAME"
route:
- destination:
port:
number: 80
- host: hello-world.istio-nonrtric.svc.cluster.local
+ host: RAPP-NAME.RAPP-NS.svc.cluster.local
`
-const requestAuthenticationManifest = `
+var requestAuthenticationManifest = `
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
- name: "jwt-hw"
- namespace: istio-nonrtric
+ name: "jwt-RAPP-NAME"
+ namespace: RAPP-NS
spec:
selector:
matchLabels:
- app.kubernetes.io/instance: hello-world
+ app.kubernetes.io/instance: RAPP-NAME
jwtRules:
- - issuer: "http://192.168.49.2:31560/auth/realms/hwrealm"
- jwksUri: "http://192.168.49.2:31560/auth/realms/hwrealm/protocol/openid-connect/certs"
- - issuer: "http://keycloak.default:8080/auth/realms/hwrealm"
- jwksUri: "http://keycloak.default:8080/auth/realms/hwrealm/protocol/openid-connect/certs"
+ - issuer: "http://192.168.49.2:31560/auth/realms/REALM-NAME"
+ jwksUri: "http://192.168.49.2:31560/auth/realms/REALM-NAME/protocol/openid-connect/certs"
+ - issuer: "http://keycloak.default:8080/auth/realms/REALM-NAME"
+ jwksUri: "http://keycloak.default:8080/auth/realms/REALM-NAME/protocol/openid-connect/certs"
`
-const authorizationPolicyManifest = `
+var authorizationPolicyManifest = `
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
- name: "hw-policy"
- namespace: istio-nonrtric
+ name: "RAPP-NAME-policy"
+ namespace: RAPP-NS
spec:
selector:
matchLabels:
- app.kubernetes.io/instance: hello-world
+ app.kubernetes.io/instance: RAPP-NAME
action: ALLOW
rules:
- from:
- source:
- requestPrincipals: ["http://192.168.49.2:31560/auth/realms/hwrealm/", "http://keycloak.default:8080/auth/realms/hwrealm/"]
+ requestPrincipals: ["http://192.168.49.2:31560/auth/realms/REALM-NAME/", "http://keycloak.default:8080/auth/realms/REALM-NAME/"]
- to:
- operation:
- methods: ["GET"]
- paths: ["/hello-world*"]
+ methods: ["METHOD-NAME"]
+ paths: ["/RAPP-NAME*"]
when:
- key: request.auth.claims[clientRole]
- values: ["hwclientrole"]
+ values: ["ROLE-NAME"]
`
func connectToK8s() *versioned.Clientset {
@@ -130,8 +131,10 @@
return ic
}
-func createGateway(clientset *versioned.Clientset) (string, error) {
+func createGateway(clientset *versioned.Clientset, appName string) (string, error) {
gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
+ gatewayManifest = strings.Replace(gatewayManifest, "RAPP-NAME", appName, -1)
+ gatewayManifest = strings.Replace(gatewayManifest, "RAPP-NS", NAMESPACE, -1)
gt := &netv1beta1.Gateway{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(gatewayManifest)), 1000)
@@ -150,8 +153,10 @@
return result.GetName(), nil
}
-func createVirtualService(clientset *versioned.Clientset) (string, error) {
+func createVirtualService(clientset *versioned.Clientset, appName string) (string, error) {
vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
+ virtualServiceManifest = strings.Replace(virtualServiceManifest, "RAPP-NAME", appName, -1)
+ virtualServiceManifest = strings.Replace(virtualServiceManifest, "RAPP-NS", NAMESPACE, -1)
vs := &netv1beta1.VirtualService{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(virtualServiceManifest)), 1000)
@@ -170,8 +175,11 @@
return result.GetName(), nil
}
-func createRequestAuthentication(clientset *versioned.Clientset) (string, error) {
+func createRequestAuthentication(clientset *versioned.Clientset, appName, realmName string) (string, error) {
raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
+ requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "RAPP-NAME", appName, -1)
+ requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "REALM-NAME", realmName, -1)
+ requestAuthenticationManifest = strings.Replace(requestAuthenticationManifest, "RAPP-NS", NAMESPACE, -1)
ra := &secv1beta1.RequestAuthentication{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(requestAuthenticationManifest)), 1000)
@@ -190,8 +198,13 @@
return result.GetName(), nil
}
-func createAuthorizationPolicy(clientset *versioned.Clientset) (string, error) {
+func createAuthorizationPolicy(clientset *versioned.Clientset, appName, realmName, roleName, methodName string) (string, error) {
apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
+ authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "RAPP-NAME", appName, -1)
+ authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "REALM-NAME", realmName, -1)
+ authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "ROLE-NAME", roleName, -1)
+ authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "METHOD-NAME", methodName, -1)
+ authorizationPolicyManifest = strings.Replace(authorizationPolicyManifest, "RAPP-NS", NAMESPACE, -1)
ap := &secv1beta1.AuthorizationPolicy{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(authorizationPolicyManifest)), 1000)
@@ -210,29 +223,70 @@
return result.GetName(), nil
}
-// create a handler struct
-type HttpHandler struct{}
+func removeGateway(clientset *versioned.Clientset, appName string) {
+ gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
+ err := gtClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-gateway", metav1.DeleteOptions{})
+ if err != nil {
+ fmt.Println(err)
+ } else {
+ fmt.Println("Deleted Gateway nonrtric-istio-" + appName + "-gateway")
+ }
+}
-// implement `ServeHTTP` method on `HttpHandler` struct
-func (h HttpHandler) ServeHTTP(res http.ResponseWriter, req *http.Request) {
+func removeVirtualService(clientset *versioned.Clientset, appName string) {
+ vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
+ err := vsClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-vs", metav1.DeleteOptions{})
+ if err != nil {
+ fmt.Println(err)
+ } else {
+ fmt.Println("Deleted VirtualServices nonrtric-istio-" + appName + "-vs")
+ }
+}
+
+func removeRequestAuthentication(clientset *versioned.Clientset, appName string) {
+ raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
+ err := raClient.Delete(context.TODO(), "jwt-"+appName, metav1.DeleteOptions{})
+ if err != nil {
+ fmt.Println(err)
+ } else {
+ fmt.Println("Deleted RequestAuthentication jwt-" + appName)
+ }
+}
+
+func removeAuthorizationPolicy(clientset *versioned.Clientset, appName string) {
+ apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
+ err := apClient.Delete(context.TODO(), appName+"-policy", metav1.DeleteOptions{})
+ if err != nil {
+ fmt.Println(err)
+ } else {
+ fmt.Println("Deleted AuthorizationPolicy " + appName + "-policy")
+ }
+}
+
+func createIstioPolicy(res http.ResponseWriter, req *http.Request) {
+ query := req.URL.Query()
+ realmName := query.Get("realm")
+ appName := query.Get("name")
+ roleName := query.Get("role")
+ methodName := query.Get("method")
var msg string
clientset := connectToK8s()
- _, err := createGateway(clientset)
+ _, err := createGateway(clientset, appName)
if err != nil {
msg = err.Error()
fmt.Println(err.Error())
} else {
- _, err := createVirtualService(clientset)
+ _, err := createVirtualService(clientset, appName)
if err != nil {
msg = err.Error()
fmt.Println(err.Error())
} else {
- _, err := createRequestAuthentication(clientset)
+ _, err := createRequestAuthentication(clientset, appName, realmName)
if err != nil {
msg = err.Error()
fmt.Println(err.Error())
} else {
- _, err := createAuthorizationPolicy(clientset)
+ _, err := createAuthorizationPolicy(clientset, appName, realmName, roleName, methodName)
if err != nil {
msg = err.Error()
fmt.Println(err.Error())
@@ -249,9 +303,20 @@
res.Write(data)
}
+func removeIstioPolicy(res http.ResponseWriter, req *http.Request) {
+ query := req.URL.Query()
+ appName := query.Get("name")
+ clientset := connectToK8s()
+ removeAuthorizationPolicy(clientset, appName)
+ removeRequestAuthentication(clientset, appName)
+ removeVirtualService(clientset, appName)
+ removeGateway(clientset, appName)
+}
+
func main() {
- // create a new handler
- handler := HttpHandler{}
- // listen and serve
- http.ListenAndServe(":9000", handler)
+ createIstioHandler := http.HandlerFunc(createIstioPolicy)
+ http.Handle("/create", createIstioHandler)
+ removeIstioHandler := http.HandlerFunc(removeIstioPolicy)
+ http.Handle("/remove", removeIstioHandler)
+ http.ListenAndServe(":9000", nil)
}