Merge new-api-impl into main (Kuadrant#84)

* add API and RateLimitPolicy resource

* add new apis' controller

* Add finalizer (Kuadrant#74)

* add API and RateLimitPolicy resource

* add new apis' controller

* add owner and finalizer for ratelimit policy

Co-authored-by: Rahul Anand <[email protected]>

* update RateLimitPolicy and API design (Kuadrant#75)

* example: add virtualservice resource to toystore example

* update ratelimitpolicy and API design

* update samples for RLP and API resource

* tie networking and ratelimit using annotations (Kuadrant#76)

* tie networking and ratelimit using annotations

* move network selection into spec from annotations

* reuse ClusterEnvoyPatch from istioprovider

* create AuthorizationPolicy using VirtualService (Kuadrant#79)

* create AuthorizationPolicy using VirtualService

* just log if reconciling w/o provider annotation

* move orphan check into the reconcile logic

* pass logger from main reconciler and small fix

* use predicate funcs to filter events for virtualservice

* make preauth as the first and postauth as the last filter (Kuadrant#80)

* cleanup API APIProduct CRDs (Kuadrant#81)

* cleanup API APIProduct CRDs

* fix tests

* remove duplicated constants

* Harden RateLimitPolicy implementation (Kuadrant#82)

* harden RateLimitPolicy implementation

* change finalizer's name

* fix typo and use correct gateway labels

* fix lint before merging into main

Co-authored-by: Craig Brookes <[email protected]>
Co-authored-by: Eguzki Astiz Lezaun <[email protected]>

Author: 3 people

PROJECT

@@ -12,17 +12,19 @@ resources:
 - api:
     crdVersion: v1
     namespaced: true
-  domain: networking.kuadrant.io
+  controller: true
+  domain: kuadrant.io
+  group: apim
   kind: API
-  path: github.com/kuadrant/kuadrant-controller/apis/networking/v1beta1
-  version: v1beta1
+  path: github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1
+  version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: true
   controller: true
   domain: kuadrant.io
-  group: networking
-  kind: APIProduct
-  path: github.com/kuadrant/kuadrant-controller/apis/networking/v1beta1
-  version: v1beta1
+  group: apim
+  kind: RateLimitPolicy
+  path: github.com/kuadrant/kuadrant-controller/apis/apim/v1alpha1
+  version: v1alpha1
 version: "3"

README.md

@@ -46,51 +46,10 @@ The kuadrant controller acts on the following [CRDs](https://kubernetes.io/docs/
 
 | CRD | Description |
 | --- | --- |
-| [APIProduct](apis/networking/v1beta1/apiproduct_types.go) | Customer-facing APIs. APIProduct facilitates the creation of strong and simplified offerings for API consumers |
-| [API](apis/networking/v1beta1/api_types.go) | Internal APIs bundled in a product. Kuadrant API objects grant API providers the freedom to map their internal API organization structure to kuadrant |
+| [RateLimitPolicy](apis/apim/v1alpha1/ratelimitpolicy_types.go) | Enable access control on workloads based on HTTP rate limiting |
 
 For a detailed description of the CRDs above, refer to the [Architecture](doc/architecture.md) page.
 
-## List of features
-
-| Feature | Description | Stage |
-| --- | --- | --- |
-| [OpenAPI 3.x](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md) | OpenAPI driven configuration. The document can be read from a configmap or served from the upstream API service | *Ready* |
-| *Path Match* based routing | HTTP routing rules will be configured based on request path expressions. Accepted values are `Exact`, `Prefix` and `RegularExpression` | *Ready* |
-| [Service Discovery](doc/service-discovery.md) | kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) and [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for a seamless integration | *Ready* |
-| **AuthN** based on API key | Protect your service with a simple API key based authentication mechanism | *Ready* |
-| **AuthN** based on [OpenID Connect (OIDC)](https://openid.net/connect/) | Kuadrant can verify OIDC (JWTs) tokens to authenticate users | *Ready* |
-| Global Rate Limiting | Single global rate limit for all requests. Main use case for protecting infrastructure resources | *Ready* |
-| Rate Limiting Per Remote IP | Rate limit configuration per each remote IP address. Main use case for protecting infrastructure resources | *Ready* |
-| Authenticated Rate Limiting | Rate limit configuration per each authenticated client | *Ready* |
-| Server TLS | TLS termination for downstream connections | Planned |
-| Upstream TLS | Client certificates upstream connections | Planned |
-| mTLS | Mutual TLS termination for downstream connections | Planned |
-| [Gateway API](https://gateway-api.sigs.k8s.io/) | Implementation of kuadrant features on top of the Gateway API | Planned |
-| Monitoring and Alerting | Observability based on [Grafana](https://grafana.com/) and [Prometheus](https://prometheus.io/) | Planned |
-
-For a detailed description of the features above, refer to the [Architecture](doc/architecture.md) page.
-
-## Architecture
-
-The [Architecture](doc/architecture.md) section of the docs covers the details of protecting your APIs with Kuadrant.
-
-## [Getting started](doc/getting-started.md)
-
-## User Guides
-
-### [HTTP routing rules from OpenAPI stored in a configmap](doc/service-discovery-oas-configmap.md)
-
-### [HTTP routing rules from OpenAPI served by the service](doc/service-discovery-oas-service.md)
-
-### [HTTP routing rules with path matching](doc/service-discovery-path-match.md)
-
-### [AuthN based on API key](doc/authn-api-key.md)
-
-### [AuthN based on OpenID Connect](doc/authn-oidc.md)
-
-### [Rate limiting](doc/rate-limit.md)
-
 ## Contributing
 
 The [Development guide](doc/development.md) describes how to build the kuadrant controller and

apis/apim/v1alpha1/api_types.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2021 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type OPARef struct {
+	URL       string                   `json:"URL,omitempty"`
+	ConfigMap *v1.LocalObjectReference `json:"configMap,omitempty"`
+}
+
+type APIMetadata struct {
+	Version     string `json:"version"`
+	Title       string `json:"title"`
+	Description string `json:"description,omitempty"`
+	OpenAPIRef  OPARef `json:"openAPIRef,omitempty"`
+}
+
+type APISpec struct {
+	Info APIMetadata `json:"info"`
+}
+
+// +kubebuilder:object:root=true
+// API is the Schema for the apis API
+type API struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec APISpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+
+// APIList contains a list of API
+type APIList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []API `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&API{}, &APIList{})
+}

apis/networking/v1beta1/groupversion_info.go apis/apim/v1alpha1/groupversion_info.go

@@ -14,10 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v1beta1 contains API Schema definitions for the networking v1beta1 API group
-// +kubebuilder:object:generate=true
-// +groupName=networking.kuadrant.io
-package v1beta1
+// Package v1alpha1 contains API Schema definitions for the apim v1alpha1 API group
+//+kubebuilder:object:generate=true
+//+groupName=apim.kuadrant.io
+package v1alpha1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -26,7 +26,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "networking.kuadrant.io", Version: "v1beta1"}
+	GroupVersion = schema.GroupVersion{Group: "apim.kuadrant.io", Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

apis/apim/v1alpha1/ratelimitpolicy_types.go

@@ -0,0 +1,114 @@
+/*
+Copyright 2021 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+type RLGenericKey struct {
+	DescriptorKey   string `json:"descriptor_key"`
+	DescriptorValue string `json:"descriptor_value"`
+}
+
+type ActionSpecifier struct {
+	GenericKey RLGenericKey `json:"generic_key"`
+}
+
+// +kubebuilder:validation:Enum=PREAUTH;POSTAUTH;BOTH
+type RateLimitStage string
+
+// +kubebuilder:validation:Enum=HTTPRoute;VirtualService
+type NetworkingRefType string
+
+const (
+	RateLimitStagePREAUTH  RateLimitStage = "PREAUTH"
+	RateLimitStagePOSTAUTH RateLimitStage = "POSTAUTH"
+	RateLimitStageBOTH     RateLimitStage = "BOTH"
+
+	NetworkingRefTypeHR NetworkingRefType = "HTTPRoute"
+	NetworkingRefTypeVS NetworkingRefType = "VirtualService"
+)
+
+var RateLimitStageName = map[int32]string{
+	0: "PREAUTH",
+	1: "POSTAUTH",
+	2: "BOTH",
+}
+
+var RateLimitStageValue = map[RateLimitStage]int32{
+	"PREAUTH":  0,
+	"POSTAUTH": 1,
+	"BOTH":     2,
+}
+
+type Route struct {
+	// name of the route present in the virutalservice
+	Name string `json:"name"`
+	// Definfing phase at which rate limits will be applied.
+	// Valid values are: PREAUTH, POSTAUTH, BOTH
+	Stage RateLimitStage `json:"stage"`
+	// rule specific actions
+	Actions []*ActionSpecifier `json:"actions,omitempty"`
+}
+
+type NetworkingRef struct {
+	Type NetworkingRefType `json:"type"`
+	Name string            `json:"name"`
+}
+
+// RateLimitPolicySpec defines the desired state of RateLimitPolicy
+type RateLimitPolicySpec struct {
+	//+listType=map
+	//+listMapKey=type
+	//+listMapKey=name
+	NetworkingRef []NetworkingRef `json:"networkingRef,omitempty"`
+	// route specific staging and actions
+	//+listType=map
+	//+listMapKey=name
+	Routes []Route `json:"routes,omitempty"`
+	// these actions are used for all of the matching rules
+	Actions []*ActionSpecifier                `json:"actions,omitempty"`
+	Limits  []limitadorv1alpha1.RateLimitSpec `json:"limits,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// RateLimitPolicy is the Schema for the ratelimitpolicies API
+type RateLimitPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec RateLimitPolicySpec `json:"spec,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// RateLimitPolicyList contains a list of RateLimitPolicy
+type RateLimitPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RateLimitPolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&RateLimitPolicy{}, &RateLimitPolicyList{})
+}