2 // ========================LICENSE_START=================================
5 // Copyright (C) 2022: Nordix Foundation
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
18 // ========================LICENSE_END===================================
27 netv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
28 secv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
29 versioned "istio.io/client-go/pkg/clientset/versioned"
30 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
31 k8Yaml "k8s.io/apimachinery/pkg/util/yaml"
32 "k8s.io/client-go/rest"
33 clientcmd "k8s.io/client-go/tools/clientcmd"
42 NAMESPACE = "istio-nonrtric"
45 var gatewayManifest = `
46 apiVersion: networking.istio.io/v1beta1
49 name: nonrtric-istio-RAPP-NAME-gateway
53 istio: ingressgateway # use Istio gateway implementation
63 var virtualServiceManifest = `
64 apiVersion: networking.istio.io/v1beta1
67 name: nonrtric-istio-RAPP-NAME-vs
73 - nonrtric-istio-RAPP-NAME-gateway
75 - name: "RAPP-NAME-routes"
83 host: RAPP-NAME.RAPP-NS.svc.cluster.local
86 var requestAuthenticationManifest = `
87 apiVersion: security.istio.io/v1beta1
88 kind: RequestAuthentication
95 app.kubernetes.io/instance: RAPP-NAME
97 - issuer: "http://192.168.49.2:31560/auth/realms/REALM-NAME"
98 jwksUri: "http://192.168.49.2:31560/auth/realms/REALM-NAME/protocol/openid-connect/certs"
99 - issuer: "http://keycloak.default:8080/auth/realms/REALM-NAME"
100 jwksUri: "http://keycloak.default:8080/auth/realms/REALM-NAME/protocol/openid-connect/certs"
101 - issuer: "https://192.168.49.2:31561/auth/realms/REALM-NAME"
102 jwksUri: "https://192.168.49.2:31561/auth/realms/REALM-NAME/protocol/openid-connect/certs"
103 - issuer: "https://keycloak.default:8443/auth/realms/REALM-NAME"
104 jwksUri: "https://keycloak.default:8443/auth/realms/REALM-NAME/protocol/openid-connect/certs"
105 - issuer: "https://keycloak.est.tech:443/auth/realms/REALM-NAME"
106 jwksUri: "https://keycloak.default:8443/auth/realms/REALM-NAME/protocol/openid-connect/certs"
107 - issuer: "http://istio-ingressgateway.istio-system:80/auth/realms/REALM-NAME"
108 jwksUri: "http://keycloak.default:8080/auth/realms/REALM-NAME/protocol/openid-connect/certs"
111 var authorizationPolicyManifest = `
112 apiVersion: "security.istio.io/v1beta1"
113 kind: "AuthorizationPolicy"
115 name: "RAPP-NAME-policy"
120 app.kubernetes.io/instance: RAPP-NAME
125 requestPrincipals: ["http://192.168.49.2:31560/auth/realms/REALM-NAME/", "http://keycloak.default:8080/auth/realms/REALM-NAME/", "https://192.168.49.2:31561/auth/realms/REALM-NAME/", "https://keycloak.default:8443/auth/realms/REALM-NAME/", "https://keycloak.est.tech:443/auth/realms/REALM-NAME/", "http://istio-ingressgateway.istio-system:80/auth/realms/REALM-NAME/"]
128 methods: ["METHOD-NAME"]
129 paths: ["/RAPP-NAME"]
131 - key: request.auth.claims[clientRole]
132 values: ["ROLE-NAME"]
135 func connectToK8s() *versioned.Clientset {
136 config, err := rest.InClusterConfig()
138 // fallback to kubeconfig
139 home, exists := os.LookupEnv("HOME")
144 kubeconfig := filepath.Join(home, ".kube", "config")
145 if envvar := os.Getenv("KUBECONFIG"); len(envvar) > 0 {
148 config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
150 log.Fatalln("failed to create K8s config")
154 ic, err := versioned.NewForConfig(config)
156 log.Fatalf("Failed to create istio client: %s", err)
162 func createGateway(clientset *versioned.Clientset, appName string) (string, error) {
163 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
164 manifest := strings.Replace(gatewayManifest, "RAPP-NAME", appName, -1)
165 manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
167 gt := &netv1beta1.Gateway{}
168 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
170 if err := dec.Decode(>); err != nil {
174 result, err := gtClient.Create(context.TODO(), gt, metav1.CreateOptions{})
180 fmt.Printf("Create Gateway %s \n", result.GetName())
181 return result.GetName(), nil
184 func createVirtualService(clientset *versioned.Clientset, appName string) (string, error) {
185 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
186 manifest := strings.Replace(virtualServiceManifest, "RAPP-NAME", appName, -1)
187 manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
189 vs := &netv1beta1.VirtualService{}
190 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
192 if err := dec.Decode(&vs); err != nil {
196 result, err := vsClient.Create(context.TODO(), vs, metav1.CreateOptions{})
202 fmt.Printf("Create Virtual Service %s \n", result.GetName())
203 return result.GetName(), nil
206 func createRequestAuthentication(clientset *versioned.Clientset, appName, realmName string) (string, error) {
207 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
208 manifest := strings.Replace(requestAuthenticationManifest, "RAPP-NAME", appName, -1)
209 manifest = strings.Replace(manifest, "REALM-NAME", realmName, -1)
210 manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
212 ra := &secv1beta1.RequestAuthentication{}
213 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
215 if err := dec.Decode(&ra); err != nil {
219 result, err := raClient.Create(context.TODO(), ra, metav1.CreateOptions{})
225 fmt.Printf("Create Request Authentication %s \n", result.GetName())
226 return result.GetName(), nil
229 func createAuthorizationPolicy(clientset *versioned.Clientset, appName, realmName, roleName, methodName string) (string, error) {
230 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
231 manifest := strings.Replace(authorizationPolicyManifest, "RAPP-NAME", appName, -1)
232 manifest = strings.Replace(manifest, "REALM-NAME", realmName, -1)
233 manifest = strings.Replace(manifest, "ROLE-NAME", roleName, -1)
234 manifest = strings.Replace(manifest, "METHOD-NAME", methodName, -1)
235 manifest = strings.Replace(manifest, "RAPP-NS", NAMESPACE, -1)
237 ap := &secv1beta1.AuthorizationPolicy{}
238 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest)), 1000)
240 if err := dec.Decode(&ap); err != nil {
244 result, err := apClient.Create(context.TODO(), ap, metav1.CreateOptions{})
250 fmt.Printf("Create Authorization Policy %s \n", result.GetName())
251 return result.GetName(), nil
254 func removeGateway(clientset *versioned.Clientset, appName string) {
255 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
256 err := gtClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-gateway", metav1.DeleteOptions{})
260 fmt.Println("Deleted Gateway nonrtric-istio-" + appName + "-gateway")
264 func removeVirtualService(clientset *versioned.Clientset, appName string) {
265 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
266 err := vsClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-vs", metav1.DeleteOptions{})
270 fmt.Println("Deleted VirtualServices nonrtric-istio-" + appName + "-vs")
274 func removeRequestAuthentication(clientset *versioned.Clientset, appName string) {
275 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
276 err := raClient.Delete(context.TODO(), "jwt-"+appName, metav1.DeleteOptions{})
280 fmt.Println("Deleted RequestAuthentication jwt-" + appName)
284 func removeAuthorizationPolicy(clientset *versioned.Clientset, appName string) {
285 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
286 err := apClient.Delete(context.TODO(), appName+"-policy", metav1.DeleteOptions{})
290 fmt.Println("Deleted AuthorizationPolicy " + appName + "-policy")
294 func createIstioPolicy(res http.ResponseWriter, req *http.Request) {
295 query := req.URL.Query()
296 realmName := query.Get("realm")
297 appName := query.Get("name")
298 roleName := query.Get("role")
299 methodName := query.Get("method")
301 clientset := connectToK8s()
302 _, err := createGateway(clientset, appName)
305 fmt.Println(err.Error())
307 _, err := createVirtualService(clientset, appName)
310 fmt.Println(err.Error())
312 _, err := createRequestAuthentication(clientset, appName, realmName)
315 fmt.Println(err.Error())
317 _, err := createAuthorizationPolicy(clientset, appName, realmName, roleName, methodName)
320 fmt.Println(err.Error())
322 msg = "Istio rapp security setup successfully"
328 // create response binary data
329 data := []byte(msg) // slice of bytes
330 // write `data` to response
334 func removeIstioPolicy(res http.ResponseWriter, req *http.Request) {
335 query := req.URL.Query()
336 appName := query.Get("name")
337 clientset := connectToK8s()
338 removeAuthorizationPolicy(clientset, appName)
339 removeRequestAuthentication(clientset, appName)
340 removeVirtualService(clientset, appName)
341 removeGateway(clientset, appName)
345 createIstioHandler := http.HandlerFunc(createIstioPolicy)
346 http.Handle("/create", createIstioHandler)
347 removeIstioHandler := http.HandlerFunc(removeIstioPolicy)
348 http.Handle("/remove", removeIstioHandler)
349 http.ListenAndServe(":9000", nil)