(#66) Configure an ExtAuthzProxy provider for each project stage

This patch configures an istio envoyExtAuthzHttp provider for each stage in each project. An example provider for the dev stage of the holos project is `authproxy-dev-holos`
holos-run · Mar 30, 2024 · 43c8702 · 43c8702
1 parent ce94776
commit 43c8702
Showing 5 changed files with 91 additions and 73 deletions.
diff --git a/docs/examples/meshconfig.cue b/docs/examples/meshconfig.cue
@@ -0,0 +1,52 @@
+package holos
+
+// #MeshConfig provides the istio meshconfig in the config key given projects.
+#MeshConfig: {
+	projects: #Projects
+	// clusterName is the value of the --cluster-name flag, the cluster currently being manged / rendered.
+	clusterName: string | *#ClusterName
+
+	extensionProviderMap: [Name=_]: {
+		name: Name
+	}
+
+	config: {
+		accessLogEncoding: string | *"JSON"
+		accessLogFile:     string | *"/dev/stdout"
+		defaultConfig: {
+			discoveryAddress: string | *"istiod.istio-system.svc:15012"
+			tracing: zipkin: address: string | *"zipkin.istio-system:9411"
+		}
+		defaultProviders: metrics: [...string] | *["prometheus"]
+		enablePrometheusMerge: false | *true
+		rootNamespace:         string | *"istio-system"
+		trustDomain:           string | *"cluster.local"
+		extensionProviders: [for x in extensionProviderMap {x}]
+	}
+}
+
+// #ExtAuthzProxy defines the provider configuration for an istio external authorization auth proxy.
+#ExtAuthzProxy: {
+	name: string
+	envoyExtAuthzHttp: {
+		headersToDownstreamOnDeny: [
+			"content-type",
+			"set-cookie",
+		]
+		headersToUpstreamOnAllow: [
+			"authorization",
+			"path",
+			"x-auth-request-user",
+			"x-auth-request-email",
+			"x-auth-request-access-token",
+		]
+		includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+		includeRequestHeadersInCheck: [
+			"authorization",
+			"cookie",
+			"x-forwarded-for",
+		]
+		port:    4180
+		service: string
+	}
+}
diff --git a/docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istiod/meshconfig.cue b/docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istiod/meshconfig.cue
@@ -2,73 +2,4 @@ package holos
 
 // Istio meshconfig
 // TODO: Generate per-project extauthz providers.
-_MeshConfig: {
-	accessLogEncoding: "JSON"
-	accessLogFile:     "/dev/stdout"
-	defaultConfig: {
-		discoveryAddress: "istiod.istio-system.svc:15012"
-		tracing: zipkin: address: "zipkin.istio-system:9411"
-	}
-	defaultProviders: metrics: ["prometheus"]
-	enablePrometheusMerge: true
-	// For PROXY PROTOCOL at the ingress gateway.
-	gatewayTopology: {
-		numTrustedProxies: 2
-	}
-	rootNamespace: "istio-system"
-	trustDomain:   "cluster.local"
-	extensionProviders: [{
-		name: "cluster-trace"
-		zipkin: {
-			maxTagLength: 56
-			port:         9411
-			service:      "zipkin.istio-system.svc"
-		}
-	}, {
-		name: "cluster-gatekeeper"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
-		}
-	}, {
-		name: "core-authorizer"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.prod-core-system.svc.cluster.local"
-		}
-	}]
-}
+_MeshConfig: (#MeshConfig & {projects: _Projects}).config
diff --git a/docs/examples/platforms/reference/meshconfig.cue b/docs/examples/platforms/reference/meshconfig.cue
@@ -0,0 +1,35 @@
+package holos
+
+#MeshConfig: {
+	projects:    _
+	clusterName: _
+
+	extensionProviderMap: {
+		"cluster-trace": {
+			zipkin: {
+				maxTagLength: 56
+				port:         9411
+				service:      "zipkin.istio-system.svc"
+			}
+		}
+	}
+
+	config: {
+		// For PROXY PROTOCOL at the ingress gateway.
+		gatewayTopology: {
+			numTrustedProxies: 2
+		}
+	}
+
+	// Configure an ExtAuthzHttp provider for each stage's authproxy
+	for Project in projects {
+		if Project.clusters[clusterName] != _|_ {
+			for Stage in Project.stages {
+				let Name = "authproxy-\(Stage.slug)"
+				extensionProviderMap: (Name): #ExtAuthzProxy & {
+					envoyExtAuthzHttp: service: "authproxy.\(Stage.namespace).svc.cluster.local"
+				}
+			}
+		}
+	}
+}
diff --git a/docs/examples/platforms/reference/platform_projects.cue b/docs/examples/platforms/reference/platform_projects.cue
@@ -285,7 +285,7 @@ let AUTHPROXY = {
 			metadata: Metadata
 			spec: selector: Metadata.labels
 			spec: ports: [
-				{port: 80, targetPort: 4180, protocol: "TCP", name: "http"},
+				{port: 4180, targetPort: 4180, protocol: "TCP", name: "http"},
 			]
 		}
 		VirtualService: (Name): #VirtualService & {
@@ -296,7 +296,7 @@ let AUTHPROXY = {
 				match: [{uri: prefix: project.authProxyPrefix}]
 				route: [{
 					destination: host: Name
-					destination: port: number: 80
+					destination: port: number: 4180
 				}]
 			}]
 		}

diff --git a/pkg/version/embedded/patch b/pkg/version/embedded/patch
@@ -1 +1 @@
-3
+4