Merge branch 'add-jwt-authentication' into martin-jwt-auth

api/v1alpha1/digdirator/digdirator.go

@@ -2,6 +2,7 @@ package digdirator
 
 import (
 	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -16,6 +17,7 @@ type DigdiratorURIs struct {
 
 type DigdiratorProvider interface {
 	IsEnabled() bool
+	GetAuthSpec() istiotypes.Authentication
 	GetDigdiratorName() DigdiratorName
 	GetProvidedSecretName() *string
 	GetIgnoredPaths() []string

api/v1alpha1/digdirator/idporten.go

@@ -95,6 +95,10 @@ func (i *IDPorten) IsEnabled() bool {
 	return i != nil && i.Enabled && i.Authentication != nil && i.Authentication.Enabled
 }
 
+func (i *IDPorten) GetAuthSpec() istiotypes.Authentication {
+	return *i.Authentication
+}
+
 func (i *IDPorten) GetDigdiratorName() DigdiratorName {
 	return IDPortenName
 }

api/v1alpha1/digdirator/maskinporten.go

@@ -28,7 +28,10 @@ const MaskinPortenName = "maskinporten"
 
 func (i *Maskinporten) IsEnabled() bool {
 	return i != nil && i.Enabled && i.Authentication != nil && i.Authentication.Enabled
+}
 
+func (i *Maskinporten) GetAuthSpec() istiotypes.Authentication {
+	return *i.Authentication
 }
 
 func (i *Maskinporten) GetDigdiratorName() DigdiratorName {

internal/controllers/application.go

@@ -292,7 +292,7 @@ func (r *ApplicationReconciler) finalizeApplication(application *skiperatorv1alp
 		ctrlutil.RemoveFinalizer(application, applicationFinalizer)
 		err := r.GetClient().Update(ctx, application)
 		if err != nil {
-			return fmt.Errorf("Something went wrong when trying to finalize application. %w", err)
+			return fmt.Errorf("something went wrong when trying to finalize application. %w", err)
 		}
 	}
 
@@ -451,6 +451,7 @@ func (r *ApplicationReconciler) getAuthConfig(ctx context.Context, application s
 		return nil, fmt.Errorf("failed to get auth config secret for %s: %w", digdiratorProvider.GetDigdiratorName(), err)
 	}
 	return &AuthConfig{
+		Spec:     digdiratorProvider.GetAuthSpec(),
 		NotPaths: digdiratorProvider.GetIgnoredPaths(),
 		ProviderURIs: digdirator.DigdiratorURIs{
 			Name:      digdiratorProvider.GetDigdiratorName(),

pkg/reconciliation/reconciliation.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
+	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	"github.com/kartverket/skiperator/pkg/log"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/rest"
@@ -22,6 +23,7 @@ const (
 type AuthConfigs []AuthConfig
 
 type AuthConfig struct {
+	Spec         istiotypes.Authentication
 	NotPaths     []string
 	ProviderURIs digdirator.DigdiratorURIs
 }

pkg/resourcegenerator/istio/authorizationpolicy/jwt_auth/authorization_policy.go

@@ -46,19 +46,19 @@ func Generate(r reconciliation.Reconciliation) error {
 				application.Name,
 				*authConfigs,
 				allowedPaths,
-				[]string{authorizationpolicy.DefaultDenyPath},
+				authorizationpolicy.DefaultDenyPath,
 			),
 		)
 	}
 	ctxLog.Debug("Finished generating JWT-auth AuthorizationPolicy for application", "application", application.Name)
 	return nil
 }
 
-func getJwtValidationAuthPolicy(namespacedName types.NamespacedName, applicationName string, authConfigs []reconciliation.AuthConfig, allowPaths []string, denyPaths []string) *securityv1.AuthorizationPolicy {
+func getJwtValidationAuthPolicy(namespacedName types.NamespacedName, applicationName string, authConfigs []reconciliation.AuthConfig, allowPaths []string, denyPath string) *securityv1.AuthorizationPolicy {
 	var authPolicyRules []*securityv1api.Rule
 
 	notPaths := allowPaths
-	notPaths = append(allowPaths, denyPaths...)
+	notPaths = append(allowPaths, denyPath)
 	for _, authConfig := range authConfigs {
 		authPolicyRules = append(authPolicyRules, &securityv1api.Rule{
 			To: []*securityv1api.Rule_To{

pkg/resourcegenerator/istio/requestauthentication/request_authentication.go

@@ -3,8 +3,6 @@ package requestauthentication
 import (
 	"fmt"
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
-	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
-	"github.com/kartverket/skiperator/api/v1alpha1/istiotypes"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
 	securityv1api "istio.io/api/security/v1"
@@ -43,12 +41,7 @@ func Generate(r reconciliation.Reconciliation) error {
 func getRequestAuthentication(application *skiperatorv1alpha1.Application, authConfigs []reconciliation.AuthConfig) securityv1.RequestAuthentication {
 	jwtRules := make([]*v1beta1.JWTRule, len(authConfigs))
 	for i, config := range authConfigs {
-		switch config.ProviderURIs.Name {
-		case digdirator.IDPortenName:
-			jwtRules[i] = getJWTRule(application.Spec.IDPorten.Authentication, config.ProviderURIs)
-		case digdirator.MaskinPortenName:
-			jwtRules[i] = getJWTRule(application.Spec.Maskinporten.Authentication, config.ProviderURIs)
-		}
+		jwtRules[i] = getJWTRule(config)
 	}
 	return securityv1.RequestAuthentication{
 		ObjectMeta: metav1.ObjectMeta{
@@ -64,16 +57,16 @@ func getRequestAuthentication(application *skiperatorv1alpha1.Application, authC
 	}
 }
 
-func getJWTRule(authentication *istiotypes.Authentication, providerURIs digdirator.DigdiratorURIs) *v1beta1.JWTRule {
+func getJWTRule(authConfig reconciliation.AuthConfig) *v1beta1.JWTRule {
 	var jwtRule = v1beta1.JWTRule{
-		ForwardOriginalToken: authentication.ForwardOriginalToken,
+		ForwardOriginalToken: authConfig.Spec.ForwardOriginalToken,
 	}
-	if authentication.TokenLocation == "cookie" {
+	if authConfig.Spec.TokenLocation == "cookie" {
 		jwtRule.FromCookies = []string{"BearerToken"}
 	}
-	if authentication.OutputClaimToHeaders != nil {
-		claimsToHeaders := make([]*v1beta1.ClaimToHeader, len(*authentication.OutputClaimToHeaders))
-		for i, claimToHeader := range *authentication.OutputClaimToHeaders {
+	if authConfig.Spec.OutputClaimToHeaders != nil {
+		claimsToHeaders := make([]*v1beta1.ClaimToHeader, len(*authConfig.Spec.OutputClaimToHeaders))
+		for i, claimToHeader := range *authConfig.Spec.OutputClaimToHeaders {
 			claimsToHeaders[i] = &v1beta1.ClaimToHeader{
 				Header: claimToHeader.Header,
 				Claim:  claimToHeader.Claim,
@@ -82,9 +75,9 @@ func getJWTRule(authentication *istiotypes.Authentication, providerURIs digdirat
 		jwtRule.OutputClaimToHeaders = claimsToHeaders
 	}
 
-	jwtRule.Issuer = providerURIs.IssuerURI
-	jwtRule.JwksUri = providerURIs.JwksURI
-	jwtRule.Audiences = []string{providerURIs.ClientID}
+	jwtRule.Issuer = authConfig.ProviderURIs.IssuerURI
+	jwtRule.JwksUri = authConfig.ProviderURIs.JwksURI
+	jwtRule.Audiences = []string{authConfig.ProviderURIs.ClientID}
 
 	return &jwtRule
 }

pkg/resourcegenerator/networkpolicy/dynamic/common.go

@@ -5,9 +5,11 @@ import (
 	"github.com/kartverket/skiperator/api/v1alpha1/podtypes"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
+	v1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"net"
 	"slices"
 	"strings"
 )
@@ -93,9 +95,41 @@ func getEgressRules(accessPolicy *podtypes.AccessPolicy, appNamespace string) []
 		egressRules = append(egressRules, getEgressRule(rule, appNamespace))
 	}
 
+	for _, externalRule := range accessPolicy.Outbound.External {
+		if externalRule.Ports == nil || externalRule.Ip == "" || net.ParseIP(externalRule.Ip) == nil {
+			continue
+		}
+		egressRules = append(egressRules, getIPExternalRule(externalRule))
+	}
+
 	return egressRules
 }
 
+func getIPExternalRule(externalRule podtypes.ExternalRule) networkingv1.NetworkPolicyEgressRule {
+	externalRuleForIP := networkingv1.NetworkPolicyEgressRule{
+		To: []networkingv1.NetworkPolicyPeer{
+			{
+				IPBlock: &networkingv1.IPBlock{
+					CIDR: externalRule.Ip + "/32",
+				},
+			},
+		},
+		Ports: mapExternalPortsToNetworkPolicyPorts(externalRule.Ports),
+	}
+	return externalRuleForIP
+}
+
+func mapExternalPortsToNetworkPolicyPorts(externalPorts []podtypes.ExternalPort) []networkingv1.NetworkPolicyPort {
+	var ports []networkingv1.NetworkPolicyPort
+	for _, externalPort := range externalPorts {
+		ports = append(ports, networkingv1.NetworkPolicyPort{
+			Port:     util.PointTo(intstr.FromInt(externalPort.Port)),
+			Protocol: util.PointTo(v1.ProtocolTCP),
+		})
+	}
+	return ports
+}
+
 func getEgressRule(outboundRule podtypes.InternalRule, namespace string) networkingv1.NetworkPolicyEgressRule {
 	slices.SortFunc(outboundRule.Ports, sortNetPolPorts)
 	egressRuleForOutboundRule := networkingv1.NetworkPolicyEgressRule{

tests/application/access-policy/chainsaw-test.yaml

@@ -42,3 +42,8 @@ spec:
             file: multiple-ns-same-label.yaml
         - assert:
             file: multiple-ns-same-label-assert.yaml
+    - try:
+        - apply:
+            file: external-ip-policy.yaml
+        - assert:
+            file: external-ip-policy-assert.yaml

tests/application/access-policy/external-ip-policy-assert.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: external-ip-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: external-ip-policy
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 5432
+      to:
+        - ipBlock:
+            cidr: 22.134.52.36/32
+  policyTypes:
+    - Egress

tests/application/access-policy/external-ip-policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: external-ip-policy
+spec:
+  image: image
+  port: 8080
+  accessPolicy:
+    outbound:
+      external:
+        - host: xkcd.com
+        - host: backstage-db-sandbox
+          ip: 22.134.52.36
+          ports:
+            - name: sql
+              port: 5432
+              protocol: TCP
+