From e4252a07704789ccc6de1635305e6845777efc79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <23639005+israel-hdez@users.noreply.github.com> Date: Tue, 5 Mar 2024 18:26:16 -0600 Subject: [PATCH] fix(authz): Fix broken external auth configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are two misconfigurations being fixed: * In the SMCP, the service hostname of Authorino was coded with `-authorization` suffix, but the right suffix is `-authorino-authorization`. * In the `kserve-predictor` AuthorizationPolicy, the hardcoded `opendatahub-odh-auth-provider` provider name was used, but it should have been the template `{{ .AppNamespace }}-auth-provider`. In `pkg/feature/feature.go` the patch manifests (i.e. the ones containing `.patch` in the filename) are always applied. Thus, the first bullet is solved by fixing the patch file that adds the `extensionProvider` to the SMCP. For the second bullet, the faulty AuthorizationPolicy is created with a regular manifest template which is only applied if the resource does not exist. Thus, a patch manifest is added to properly fix the faulty policy (including operator upgrades). Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- .../authorino/mesh-authz-ext-provider.patch.tmpl | 2 +- .../kserve-predictor-authorizationpolicy.patch.tmpl | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl diff --git a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl index 2dea63bf14d..1a91092c7c2 100644 --- a/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl +++ b/pkg/feature/templates/servicemesh/authorino/mesh-authz-ext-provider.patch.tmpl @@ -9,5 +9,5 @@ spec: extensionProviders: - name: {{ .AppNamespace }}-auth-provider envoyExtAuthzGrpc: - service: {{ .AuthProviderName }}-authorization.{{ .Auth.Namespace }}.svc.cluster.local + service: {{ .AuthProviderName }}-authorino-authorization.{{ .Auth.Namespace }}.svc.cluster.local port: 50051 diff --git a/pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl b/pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl new file mode 100644 index 00000000000..aff5984cd53 --- /dev/null +++ b/pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: kserve-predictor + namespace: {{ .ControlPlane.Namespace }} +spec: + provider: + name: {{ .AppNamespace }}-auth-provider