Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authpolicy status should not report error when authconfig resource is not required. #349

Closed
eguzki opened this issue Nov 30, 2023 · 4 comments · Fixed by #411
Closed

Authpolicy status should not report error when authconfig resource is not required. #349

eguzki opened this issue Nov 30, 2023 · 4 comments · Fixed by #411
Assignees
Labels
kind/bug Something isn't working
Milestone

Comments

@eguzki
Copy link
Contributor

eguzki commented Nov 30, 2023

Given the following topology:

Gateway prod-web

HTTPRoute petstore-route   ->  gateway prod-web

AuthPolicy gw-auth -> Gateway prod-web

Authpolicy petstore-route -> HTTPRoute petstore-route

The status field of the gw-auth policy reports as "Not Available"

 status:                                           
  conditions:                                     
  - lastTransitionTime: "2023-11-30T15:40:34Z"    
    message: AuthScheme is not ready yet          
    reason: AuthSchemeNotReady                    
    status: "False"                               
    type: Available                               
  observedGeneration: 2                           

This is wrong because the gw-auth policy does not need an AuthConfig resource as there is no "free" HTTPRoutes. It should report as "Available" instead.

@eguzki eguzki added the kind/bug Something isn't working label Nov 30, 2023
@alexsnaps alexsnaps moved this to Todo in Kuadrant Dec 8, 2023
@alexsnaps alexsnaps modified the milestones: v0.6.0, v0.7.0 Dec 8, 2023
@KevFan KevFan self-assigned this Feb 7, 2024
@KevFan KevFan moved this from Todo to In Progress in Kuadrant Feb 7, 2024
@KevFan
Copy link
Contributor

KevFan commented Feb 8, 2024

@eguzki @guicassolato Given the RFC on https://github.com/Kuadrant/architecture/blob/main/rfcs/0004-policy-status.md, I'm interested on how this scenario would work for the Enforced condition for the Gateway AuthPolicy gw-auth in the example.

To me, there is 2 options from https://github.com/Kuadrant/architecture/blob/main/rfcs/0004-policy-status.md#conditions:

  1. This could be Enforced: True: Enforced - that this policy has been successfully enforced even though all httproutes from this Gateway has their own AuthPolicy

or alternatively:

  1. This could be Enforced: False: Overridden - This policy has been overridden as all httproutes from this Gateway has their own AuthPolicy

I think currently in my head no 2) makes more sense, the gateway AuthPolicy is not enforced on any underlying HTTPRoute and has been overridden by the AuthPolicy on the HTTPRoute attached to the Gateway. If a free httproute using this gateway becomes available with no authpolicy, it should then go back to no 1) as its successfully enforcing it's AuthPolicy on a httproute

Interested in your thoughts on this on if you agree or not 🤔

@guicassolato
Copy link
Contributor

@eguzki @guicassolato Given the RFC on https://github.com/Kuadrant/architecture/blob/main/rfcs/0004-policy-status.md, I'm interested on how this scenario would work for the Enforced condition for the Gateway AuthPolicy gw-auth in the example.

To me, there is 2 options from https://github.com/Kuadrant/architecture/blob/main/rfcs/0004-policy-status.md#conditions:

1. This could be `Enforced: True: Enforced` - that this policy has been successfully enforced even though all httproutes from this Gateway has their own AuthPolicy

or alternatively:

2. This could be `Enforced: False: Overridden` - This policy has been overridden as all httproutes from this Gateway has their own AuthPolicy

I think currently in my head no 2) makes more sense, the gateway AuthPolicy is not enforced on any underlying HTTPRoute and has been overridden by the AuthPolicy on the HTTPRoute attached to the Gateway. If a free httproute using this gateway becomes available with no authpolicy, it should then go back to no 1) as its successfully enforcing it's AuthPolicy on a httproute

Interested in your thoughts on this on if you agree or not 🤔

Good question, @KevFan!

IMO, I'd say Enforced: False: Overridden, but interested to hear other opinions.

cc @R-Lawton @didierofrivia

@didierofrivia
Copy link
Member

@KevFan @guicassolato I share your view point on this, following the states conditions listed in https://github.com/Kuadrant/architecture/blob/main/rfcs/0004-policy-status.md#conditions, the use case should reflect Enforced: False: Overridden

KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Feb 12, 2024
@KevFan KevFan moved this from In Progress to Ready For Review in Kuadrant Feb 12, 2024
KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Feb 12, 2024
KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Feb 12, 2024
KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Feb 12, 2024
KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Feb 15, 2024
KevFan added a commit that referenced this issue Feb 20, 2024
* feat: auth policy enforced condition

* feat: enforced condition overridden reason

Closes: #349

* refactor: detection overridden AuthPolicy logic

* refactor: OverriddenPolicyMap
@github-project-automation github-project-automation bot moved this from Ready For Review to Done in Kuadrant Feb 20, 2024
@eguzki
Copy link
Contributor Author

eguzki commented Feb 21, 2024

Sorry for being late to the party. I just wanted to tell that I agree with the decision taken here. "Enforced" and "Overriden" at the same time represents better the actual configuration applied.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
Status: Done
Status: To do
Development

Successfully merging a pull request may close this issue.

5 participants