From cb94b2912a2df2b3dec94bc3431337175981bb97 Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Wed, 20 Nov 2024 12:02:33 +0000
Subject: [PATCH 1/4] guides: auth anonymous access

Signed-off-by: KevFan <chfan@redhat.com>
---
 doc/user-guides/anonymous-access.md | 177 ++++++++++++++++++++++++++++
 1 file changed, 177 insertions(+)
 create mode 100644 doc/user-guides/anonymous-access.md

diff --git a/doc/user-guides/anonymous-access.md b/doc/user-guides/anonymous-access.md
new file mode 100644
index 000000000..135da3911
--- /dev/null
+++ b/doc/user-guides/anonymous-access.md
@@ -0,0 +1,177 @@
+# Enforcing anonymous access with Kuadrant AuthPolicy
+
+Learn how to allow anonymous access to certain endpoints using Kuadrant's `AuthPolicy`
+
+## Requisites
+
+- [Docker](https://docker.io)
+
+## Run the guide ① → ④
+
+### ①  Setup 
+
+Clone the repo:
+
+```sh
+git clone git@github.com:Kuadrant/kuadrant-operator.git && cd kuadrant-operator
+```
+
+Run the following command to create a local Kubernetes cluster with [Kind](https://kind.sigs.k8s.io/), install & deploy Kuadrant:
+
+```sh
+make local-setup
+```
+
+Request an instance of Kuadrant in the `kuadrant-system` namespace:
+
+```sh
+kubectl -n kuadrant-system apply -f - <<EOF
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: kuadrant
+spec: {}
+EOF
+```
+
+### ② Deploy the Talker API
+
+```sh
+kubectl apply -f examples/toystore/toystore.yaml
+
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: toystore
+spec:
+  parentRefs:
+  - name: kuadrant-ingressgateway
+    namespace: gateway-system
+  hostnames:
+  - api.toystore.com
+  rules:
+  - matches: # rule-1
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/cars"
+    backendRefs:
+    - name: toystore
+      port: 80
+  - matches: # rule-2
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/public"
+    backendRefs:
+    - name: toystore
+      port: 80
+EOF
+```
+
+Export the gateway hostname and port:
+
+```sh
+export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
+export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
+```
+
+Test requests to the unprotected application:
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
+# HTTP/1.1 200 OK
+```
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
+# HTTP/1.1 200 OK
+```
+
+### ③ Protect the Toy Store application
+
+Create an `AuthPolicy` to protect the `HTTPRoute`:
+
+```sh
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: AuthPolicy
+metadata:
+  name: route-auth
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  defaults:
+    strategy: atomic
+    rules:
+      authorization:
+        deny-all:
+          opa:
+            rego: "allow = false"
+EOF
+```
+
+Test requests to the protected application:
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
+# HTTP/1.1 403 Forbidden
+```
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
+# HTTP/1.1 403 Forbidden
+```
+
+### ④ Allow Anonymous Access to the Public Route
+Create an `AuthPolicy` to enable anonymous access for the `/public` rule:
+
+```sh
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: AuthPolicy
+metadata:
+  name: rule-2-auth
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+    sectionName: rule-2
+  defaults:
+    rules:
+      authentication:
+        "public":
+          anonymous: {}
+EOF
+```
+
+The example above enables anonymous access (i.e. removes authentication) to the `/public` rule of the `HTTPRoute`.
+
+### ④ Consume the API
+
+Test requests to the application protected by Kuadrant:
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
+# HTTP/1.1 403 Forbidden
+```
+
+```sh
+curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
+# HTTP/1.1 200 OK
+```
+
+## Cleanup
+
+```sh
+kubectl delete -f examples/toystore/toystore.yaml
+kubectl delete httproute toystore
+kubectl delete authpolicy route-auth
+kubectl delete authpolicy rule-2-auth
+kubectl delete kuadrant kuadrant -n kuadrant-system
+```

From 8c1a3b1310cb132d85b48df4cfeb72c0a30b2ed1 Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Wed, 4 Dec 2024 10:37:38 +0000
Subject: [PATCH 2/4] refactor: layout and setup

Signed-off-by: KevFan <chfan@redhat.com>
---
 .../{ => auth}/anonymous-access.md            | 52 ++++++-------------
 1 file changed, 17 insertions(+), 35 deletions(-)
 rename doc/user-guides/{ => auth}/anonymous-access.md (69%)

diff --git a/doc/user-guides/anonymous-access.md b/doc/user-guides/auth/anonymous-access.md
similarity index 69%
rename from doc/user-guides/anonymous-access.md
rename to doc/user-guides/auth/anonymous-access.md
index 135da3911..4cc44184d 100644
--- a/doc/user-guides/anonymous-access.md
+++ b/doc/user-guides/auth/anonymous-access.md
@@ -2,43 +2,24 @@
 
 Learn how to allow anonymous access to certain endpoints using Kuadrant's `AuthPolicy`
 
-## Requisites
+## Prerequisites
 
-- [Docker](https://docker.io)
+You have installed Kuadrant in a [kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster.
 
-## Run the guide ① → ④
+## Run the guide ① → ⑦
+### ① Deploy Toy Store application
 
-### ①  Setup 
-
-Clone the repo:
+Deploy a simple HTTP application service that echoes back the request data:
 
 ```sh
-git clone git@github.com:Kuadrant/kuadrant-operator.git && cd kuadrant-operator
+kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/examples/toystore/toystore.yaml
 ```
 
-Run the following command to create a local Kubernetes cluster with [Kind](https://kind.sigs.k8s.io/), install & deploy Kuadrant:
-
-```sh
-make local-setup
-```
+### ② Expose the Application
 
-Request an instance of Kuadrant in the `kuadrant-system` namespace:
+Create an `HTTPRoute` to expose an `/cars` and `/public` path to the application:
 
 ```sh
-kubectl -n kuadrant-system apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta1
-kind: Kuadrant
-metadata:
-  name: kuadrant
-spec: {}
-EOF
-```
-
-### ② Deploy the Talker API
-
-```sh
-kubectl apply -f examples/toystore/toystore.yaml
-
 kubectl apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -70,7 +51,7 @@ spec:
 EOF
 ```
 
-Export the gateway hostname and port:
+Export the gateway hostname and port for testing:
 
 ```sh
 export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
@@ -78,6 +59,7 @@ export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
+### ③ Test the Unprotected Application
 Test requests to the unprotected application:
 
 ```sh
@@ -90,9 +72,9 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
 # HTTP/1.1 200 OK
 ```
 
-### ③ Protect the Toy Store application
+### ④ Deny All Traffic with AuthPolicy
 
-Create an `AuthPolicy` to protect the `HTTPRoute`:
+Apply an `AuthPolicy` to deny all traffic to the `HTTPRoute`:
 
 ```sh
 kubectl apply -f - <<EOF
@@ -115,7 +97,7 @@ spec:
 EOF
 ```
 
-Test requests to the protected application:
+### ⑤ Test the Protected Application
 
 ```sh
 curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
@@ -127,8 +109,8 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
 # HTTP/1.1 403 Forbidden
 ```
 
-### ④ Allow Anonymous Access to the Public Route
-Create an `AuthPolicy` to enable anonymous access for the `/public` rule:
+### ⑥ Allow Anonymous Access to /public
+Create an `AuthPolicy` to allow anonymous access to the `/public` endpoint:
 
 ```sh
 kubectl apply -f - <<EOF
@@ -152,7 +134,7 @@ EOF
 
 The example above enables anonymous access (i.e. removes authentication) to the `/public` rule of the `HTTPRoute`.
 
-### ④ Consume the API
+### ⑦ Test the Application with Anonymous Access
 
 Test requests to the application protected by Kuadrant:
 
@@ -169,7 +151,7 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
 ## Cleanup
 
 ```sh
-kubectl delete -f examples/toystore/toystore.yaml
+kubectl delete -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/examples/toystore/toystore.yaml
 kubectl delete httproute toystore
 kubectl delete authpolicy route-auth
 kubectl delete authpolicy rule-2-auth

From 2d3fa67c8c59314afae5eb5d94c589fce5d3f310 Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Wed, 4 Dec 2024 15:25:39 +0000
Subject: [PATCH 3/4] refactor: remove unicode numbers from guide

Signed-off-by: KevFan <chfan@redhat.com>
---
 doc/user-guides/auth/anonymous-access.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/doc/user-guides/auth/anonymous-access.md b/doc/user-guides/auth/anonymous-access.md
index 4cc44184d..aa4701834 100644
--- a/doc/user-guides/auth/anonymous-access.md
+++ b/doc/user-guides/auth/anonymous-access.md
@@ -6,8 +6,7 @@ Learn how to allow anonymous access to certain endpoints using Kuadrant's `AuthP
 
 You have installed Kuadrant in a [kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster.
 
-## Run the guide ① → ⑦
-### ① Deploy Toy Store application
+### Deploy Toy Store application
 
 Deploy a simple HTTP application service that echoes back the request data:
 
@@ -15,7 +14,7 @@ Deploy a simple HTTP application service that echoes back the request data:
 kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/examples/toystore/toystore.yaml
 ```
 
-### ② Expose the Application
+### Expose the Application
 
 Create an `HTTPRoute` to expose an `/cars` and `/public` path to the application:
 
@@ -59,7 +58,7 @@ export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
-### ③ Test the Unprotected Application
+### Test the Unprotected Application
 Test requests to the unprotected application:
 
 ```sh
@@ -72,7 +71,7 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
 # HTTP/1.1 200 OK
 ```
 
-### ④ Deny All Traffic with AuthPolicy
+### Deny All Traffic with AuthPolicy
 
 Apply an `AuthPolicy` to deny all traffic to the `HTTPRoute`:
 
@@ -97,7 +96,7 @@ spec:
 EOF
 ```
 
-### ⑤ Test the Protected Application
+### Test the Protected Application
 
 ```sh
 curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
@@ -109,7 +108,7 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
 # HTTP/1.1 403 Forbidden
 ```
 
-### ⑥ Allow Anonymous Access to /public
+### Allow Anonymous Access to /public
 Create an `AuthPolicy` to allow anonymous access to the `/public` endpoint:
 
 ```sh
@@ -134,7 +133,7 @@ EOF
 
 The example above enables anonymous access (i.e. removes authentication) to the `/public` rule of the `HTTPRoute`.
 
-### ⑦ Test the Application with Anonymous Access
+### Test the Application with Anonymous Access
 
 Test requests to the application protected by Kuadrant:
 

From 983490dc03f407c619395ba93511aaad2eca4833 Mon Sep 17 00:00:00 2001
From: KevFan <chfan@redhat.com>
Date: Thu, 5 Dec 2024 12:53:00 +0000
Subject: [PATCH 4/4] refactor: include gateway creation as part of guide

Signed-off-by: KevFan <chfan@redhat.com>
---
 doc/user-guides/auth/anonymous-access.md | 32 ++++++++++++++++++++----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/doc/user-guides/auth/anonymous-access.md b/doc/user-guides/auth/anonymous-access.md
index aa4701834..d785c4323 100644
--- a/doc/user-guides/auth/anonymous-access.md
+++ b/doc/user-guides/auth/anonymous-access.md
@@ -4,7 +4,29 @@ Learn how to allow anonymous access to certain endpoints using Kuadrant's `AuthP
 
 ## Prerequisites
 
-You have installed Kuadrant in a [kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster.
+You have installed Kuadrant in a [kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster with a Gateway provider.
+
+### Create Gateway
+Create a `Gateway` resource for this guide:
+
+```sh
+kubectl apply -f -<<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: kuadrant-ingressgateway
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+    allowedRoutes:
+      namespaces:
+        from: Same
+EOF
+```
+The `Gateway` resource created above uses Istio as the gateway provider. For Envoy Gateway, use the Envoy Gateway `GatewayClass` as the `gatewayClassName`.
 
 ### Deploy Toy Store application
 
@@ -27,7 +49,7 @@ metadata:
 spec:
   parentRefs:
   - name: kuadrant-ingressgateway
-    namespace: gateway-system
+    namespace: default
   hostnames:
   - api.toystore.com
   rules:
@@ -53,8 +75,8 @@ EOF
 Export the gateway hostname and port for testing:
 
 ```sh
-export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
-export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n default -o jsonpath='{.status.addresses[0].value}')
+export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n default -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
@@ -154,5 +176,5 @@ kubectl delete -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/r
 kubectl delete httproute toystore
 kubectl delete authpolicy route-auth
 kubectl delete authpolicy rule-2-auth
-kubectl delete kuadrant kuadrant -n kuadrant-system
+kubectl delete gateway kuadrant-ingressgateway
 ```