UPDATE: bump authPolicy to v1beta3 in guides (#949)

Signed-off-by: Jim Fitzpatrick <[email protected]>

doc/auth.md

@@ -26,7 +26,6 @@ The `AuthPolicy` spec includes the following parts:
 
 * A reference to an existing Gateway API resource (`spec.targetRef`)
 * Authentication/authorization scheme (`spec.rules`)
-* Top-level route selectors (`spec.routeSelectors`)
 * Top-level additional conditions (`spec.when`)
 * List of named patterns (`spec.patterns`)
 
@@ -38,14 +37,14 @@ The auth scheme specify rules for:
 * Custom response items (`spec.rules.response`)
 * Callbacks (`spec.rules.callbacks`)
 
-Each auth rule can declare specific `routeSelectors` and `when` conditions for the rule to apply.
+Each auth rule can declare specific `when` conditions for the rule to apply.
 
 The auth scheme (`rules`), as well as conditions and named patterns can be declared at the top-level level of the spec (with the semantics of _defaults_) or alternatively within explicit `defaults` or `overrides` blocks.
 
 #### High-level example and field definition
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: my-auth-policy
@@ -58,18 +57,6 @@ spec:
     kind: HTTPRoute / Gateway
     name: myroute / mygateway
 
-  # Selectors of HTTPRouteRules within the targeted HTTPRoute that activate the AuthPolicy.
-  # Each element contains a HTTPRouteMatch object that will be used to select HTTPRouteRules that include at least
-  # one identical HTTPRouteMatch.
-  # The HTTPRouteMatch part does not have to be fully identical, but the what's stated in the selector must be
-  # identically stated in the HTTPRouteRule.
-  # Do not use it on AuthPolicies that target a Gateway.
-  routeSelectors:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: "/admin"
-
   # Additional dynamic conditions to trigger the AuthPolicy.
   # Use it for filtering attributes not supported by HTTPRouteRule or with AuthPolicies that target a Gateway.
   # Check out https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md to learn more
@@ -100,9 +87,6 @@ spec:
           authorizationHeader:
             prefix: APIKEY
 
-        # Rule-level route selectors.
-        routeSelectors: […]
-
         # Rule-level additional conditions.
         when: […]
 
@@ -194,7 +178,7 @@ The targeted HTTPRoute's rules and/or hostnames to which the policy must be enfo
 Target a HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows:
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: my-route-auth
@@ -254,7 +238,7 @@ Inversely, a gateway policy that specify _overrides_ declares a set of rules to
 Target a Gateway HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows:
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: my-gw-auth

doc/reference/authpolicy.md

@@ -31,8 +31,8 @@
 | `rules`          | [AuthScheme](#authscheme)                                                                                                                   | No           | Implicit default authentication/authorization rules                                                                                                                                                                                                                                             |
 | `patterns`       | Map<String: [NamedPattern](#namedpattern)>                                                                                                  | No           | Implicit default named patterns of lists of `selector`, `operator` and `value` tuples, to be reused in `when` conditions and pattern-matching authorization rules.                                                                                                                              |
 | `when`           | [][PatternExpressionOrRef](https://docs.kuadrant.io/latest/authorino/docs/features/#common-feature-conditions-when)                                | No           | List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's `spec.hostnames` and `spec.rules.matches` fields, or when targeting a Gateway.                                |
-| `defaults`       | [AuthPolicyCommonSpec](#authPolicyCommonSpec)                                                                                               | No           | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when`                                                                                                                  |
-| `overrides`      | [AuthPolicyCommonSpec](#authPolicyCommonSpec)                                                                                               | No           | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when`, `spec.default`                                                                                      |
+| `defaults`       | [AuthPolicyCommonSpec](#authPolicyCommonSpec)                                                                                               | No           | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.patterns`, `spec.when`                                                                                                                  |
+| `overrides`      | [AuthPolicyCommonSpec](#authPolicyCommonSpec)                                                                                               | No           | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.patterns`, `spec.when`, `spec.default`                                                                                      |
 
 
 ## AuthPolicyCommonSpec

doc/user-guides/auth-for-app-devs-and-platform-engineers.md

@@ -145,7 +145,7 @@ Create the AuthPolicy to enforce the following auth rules:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore
@@ -168,11 +168,6 @@ spec:
           rego: |
             groups := split(object.get(input.auth.identity.metadata.annotations, "kuadrant.io/groups", ""), ",")
             allow { groups[_] == "admins" }
-        routeSelectors:
-        - matches:
-          - path:
-              type: PathPrefix
-              value: "/admin"
 EOF
 ```
 
@@ -232,7 +227,7 @@ Create the policy:
 
 ```sh
 kubectl -n gateway-system apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: gw-auth

doc/user-guides/authenticated-rl-for-app-developers.md

@@ -118,7 +118,7 @@ Create a Kuadrant `AuthPolicy` to configure the authentication:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore

doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md

@@ -130,7 +130,7 @@ Create a Kuadrant `AuthPolicy` to configure authentication and authorization:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore-protection

doc/user-guides/secure-protect-connect-single-multi-cluster.md

@@ -231,7 +231,7 @@ Set a default, deny-all `AuthPolicy` for your Gateway as follows:
 
 ```bash
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: ${gatewayName}-auth

doc/user-guides/secure-protect-connect.md

@@ -238,7 +238,7 @@ Communication is secured and we have some protection for our infrastructure, but
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: deny-all
@@ -407,7 +407,7 @@ Now, we will override the AuthPolicy to start accepting the API keys:
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore

examples/toystore/authpolicy.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore
@@ -8,12 +8,6 @@ spec:
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: toystore
-  routeSelectors:
-  - matches:
-    - path:
-        type: Exact
-        value: "/admin/toy"
-      method: DELETE
   rules:
     authentication:
       "apikey":
@@ -33,7 +27,7 @@ spec:
                 "user-id":
                   selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
 ---
-apiVersion: kuadrant.io/v1beta1
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore

examples/toystore/authpolicy_jwt-k8s-authnz.yaml

@@ -1,7 +1,7 @@
 # A Kuadrant AuthPolicy to protect an API with authentication based on OpenId Connect (OIDC) ID tokens (signed JWTs)
 # and Kubernetes Service Account tokens combined, and authorization with permissions (bindings) stored in the
 # Kubernetes RBAC, enforced by Authorino, Kuadrant's authorization service.
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: AuthPolicy
 metadata:
   name: toystore-protection