From 4affe401cb5492e72ba7602d561b3a5bb5ac70c5 Mon Sep 17 00:00:00 2001 From: Jim Fitzpatrick Date: Tue, 29 Oct 2024 09:20:14 +0000 Subject: [PATCH] UPDATE: bump authPolicy to v1beta3 in guides (#949) Signed-off-by: Jim Fitzpatrick --- doc/auth.md | 24 ++++--------------- doc/reference/authpolicy.md | 4 ++-- ...uth-for-app-devs-and-platform-engineers.md | 9 ++----- .../authenticated-rl-for-app-developers.md | 2 +- ...uthenticated-rl-with-jwt-and-k8s-authnz.md | 2 +- ...re-protect-connect-single-multi-cluster.md | 2 +- doc/user-guides/secure-protect-connect.md | 4 ++-- examples/toystore/authpolicy.yaml | 10 ++------ .../toystore/authpolicy_jwt-k8s-authnz.yaml | 2 +- 9 files changed, 16 insertions(+), 43 deletions(-) diff --git a/doc/auth.md b/doc/auth.md index 4dd33c295..a140dedcf 100644 --- a/doc/auth.md +++ b/doc/auth.md @@ -26,7 +26,6 @@ The `AuthPolicy` spec includes the following parts: * A reference to an existing Gateway API resource (`spec.targetRef`) * Authentication/authorization scheme (`spec.rules`) -* Top-level route selectors (`spec.routeSelectors`) * Top-level additional conditions (`spec.when`) * List of named patterns (`spec.patterns`) @@ -38,14 +37,14 @@ The auth scheme specify rules for: * Custom response items (`spec.rules.response`) * Callbacks (`spec.rules.callbacks`) -Each auth rule can declare specific `routeSelectors` and `when` conditions for the rule to apply. +Each auth rule can declare specific `when` conditions for the rule to apply. The auth scheme (`rules`), as well as conditions and named patterns can be declared at the top-level level of the spec (with the semantics of _defaults_) or alternatively within explicit `defaults` or `overrides` blocks. #### High-level example and field definition ```yaml -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1beta3 kind: AuthPolicy metadata: name: my-auth-policy @@ -58,18 +57,6 @@ spec: kind: HTTPRoute / Gateway name: myroute / mygateway - # Selectors of HTTPRouteRules within the targeted HTTPRoute that activate the AuthPolicy. - # Each element contains a HTTPRouteMatch object that will be used to select HTTPRouteRules that include at least - # one identical HTTPRouteMatch. - # The HTTPRouteMatch part does not have to be fully identical, but the what's stated in the selector must be - # identically stated in the HTTPRouteRule. - # Do not use it on AuthPolicies that target a Gateway. - routeSelectors: - - matches: - - path: - type: PathPrefix - value: "/admin" - # Additional dynamic conditions to trigger the AuthPolicy. # Use it for filtering attributes not supported by HTTPRouteRule or with AuthPolicies that target a Gateway. # Check out https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md to learn more @@ -100,9 +87,6 @@ spec: authorizationHeader: prefix: APIKEY - # Rule-level route selectors. - routeSelectors: […] - # Rule-level additional conditions. when: […] @@ -194,7 +178,7 @@ The targeted HTTPRoute's rules and/or hostnames to which the policy must be enfo Target a HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows: ```yaml -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1beta3 kind: AuthPolicy metadata: name: my-route-auth @@ -254,7 +238,7 @@ Inversely, a gateway policy that specify _overrides_ declares a set of rules to Target a Gateway HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows: ```yaml -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1beta3 kind: AuthPolicy metadata: name: my-gw-auth diff --git a/doc/reference/authpolicy.md b/doc/reference/authpolicy.md index 22f5d8212..fb8cbb538 100644 --- a/doc/reference/authpolicy.md +++ b/doc/reference/authpolicy.md @@ -31,8 +31,8 @@ | `rules` | [AuthScheme](#authscheme) | No | Implicit default authentication/authorization rules | | `patterns` | Map | No | Implicit default named patterns of lists of `selector`, `operator` and `value` tuples, to be reused in `when` conditions and pattern-matching authorization rules. | | `when` | [][PatternExpressionOrRef](https://docs.kuadrant.io/latest/authorino/docs/features/#common-feature-conditions-when) | No | List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's `spec.hostnames` and `spec.rules.matches` fields, or when targeting a Gateway. | -| `defaults` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when` | -| `overrides` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when`, `spec.default` | +| `defaults` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.patterns`, `spec.when` | +| `overrides` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.patterns`, `spec.when`, `spec.default` | ## AuthPolicyCommonSpec diff --git a/doc/user-guides/auth-for-app-devs-and-platform-engineers.md b/doc/user-guides/auth-for-app-devs-and-platform-engineers.md index a8e582acf..bfefd94d5 100644 --- a/doc/user-guides/auth-for-app-devs-and-platform-engineers.md +++ b/doc/user-guides/auth-for-app-devs-and-platform-engineers.md @@ -145,7 +145,7 @@ Create the AuthPolicy to enforce the following auth rules: ```sh kubectl apply -f - <