2 // ========================LICENSE_START=================================
5 // Copyright (C) 2022: Nordix Foundation
7 // Licensed under the Apache License, Version 2.0 (the "License");
8 // you may not use this file except in compliance with the License.
9 // You may obtain a copy of the License at
11 // http://www.apache.org/licenses/LICENSE-2.0
13 // Unless required by applicable law or agreed to in writing, software
14 // distributed under the License is distributed on an "AS IS" BASIS,
15 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 // See the License for the specific language governing permissions and
17 // limitations under the License.
18 // ========================LICENSE_END===================================
26 netv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
27 netv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
28 secv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
29 versioned "istio.io/client-go/pkg/clientset/versioned"
30 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
31 k8Yaml "k8s.io/apimachinery/pkg/util/yaml"
32 "k8s.io/client-go/rest"
33 clientcmd "k8s.io/client-go/tools/clientcmd"
42 NAMESPACE = "istio-nonrtric"
45 type TemplateConfig struct {
55 var inputs TemplateConfig
58 var config *template.Template
60 func connectToK8s() *versioned.Clientset {
61 config, err := rest.InClusterConfig()
63 // fallback to kubeconfig
64 home, exists := os.LookupEnv("HOME")
69 kubeconfig := filepath.Join(home, ".kube", "config")
70 if envvar := os.Getenv("KUBECONFIG"); len(envvar) > 0 {
73 config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
75 log.Fatalln("failed to create K8s config")
79 ic, err := versioned.NewForConfig(config)
81 log.Fatalf("Failed to create istio client: %s", err)
87 func createGateway(clientset *versioned.Clientset) (string, error) {
88 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
89 config = template.Must(template.ParseFiles("./templates/Gateway-template.txt"))
90 var manifest bytes.Buffer
91 err := config.Execute(&manifest, inputs)
96 gt := &netv1beta1.Gateway{}
97 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
99 if err := dec.Decode(>); err != nil {
103 result, err := gtClient.Create(context.TODO(), gt, metav1.CreateOptions{})
109 fmt.Printf("Create Gateway %s \n", result.GetName())
110 return result.GetName(), nil
113 func createVirtualService(clientset *versioned.Clientset) (string, error) {
114 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
115 config = template.Must(template.ParseFiles("./templates/VirtualService-template.txt"))
116 var manifest bytes.Buffer
117 err := config.Execute(&manifest, inputs)
122 vs := &netv1beta1.VirtualService{}
123 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
125 if err := dec.Decode(&vs); err != nil {
129 result, err := vsClient.Create(context.TODO(), vs, metav1.CreateOptions{})
135 fmt.Printf("Create Virtual Service %s \n", result.GetName())
136 return result.GetName(), nil
139 func createRequestAuthentication(clientset *versioned.Clientset) (string, error) {
140 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
141 config = template.Must(template.ParseFiles("./templates/RequestAuthentication-template.txt"))
142 var manifest bytes.Buffer
143 err := config.Execute(&manifest, inputs)
148 ra := &secv1beta1.RequestAuthentication{}
149 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
151 if err := dec.Decode(&ra); err != nil {
155 result, err := raClient.Create(context.TODO(), ra, metav1.CreateOptions{})
161 fmt.Printf("Create Request Authentication %s \n", result.GetName())
162 return result.GetName(), nil
165 func createAuthorizationPolicy(clientset *versioned.Clientset) (string, error) {
166 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
167 config = template.Must(template.ParseFiles("./templates/AuthorizationPolicy-template.txt"))
168 var manifest bytes.Buffer
169 err := config.Execute(&manifest, inputs)
174 ap := &secv1beta1.AuthorizationPolicy{}
175 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
177 if err := dec.Decode(&ap); err != nil {
181 result, err := apClient.Create(context.TODO(), ap, metav1.CreateOptions{})
187 fmt.Printf("Create Authorization Policy %s \n", result.GetName())
188 return result.GetName(), nil
191 func createEnvoyFilter(clientset *versioned.Clientset) (string, error) {
192 efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
193 config = template.Must(template.ParseFiles("./templates/EnvoyFilter-template.txt"))
194 var manifest bytes.Buffer
195 err := config.Execute(&manifest, inputs)
200 ef := &netv1alpha3.EnvoyFilter{}
201 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
203 if err = dec.Decode(&ef); err != nil {
207 result, err := efClient.Create(context.TODO(), ef, metav1.CreateOptions{})
213 fmt.Printf("Create Envoy Filter %s \n", result.GetName())
214 return result.GetName(), nil
217 func removeGateway(clientset *versioned.Clientset) {
218 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
219 err := gtClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-gateway", metav1.DeleteOptions{})
223 fmt.Println("Deleted Gateway nonrtric-istio-" + appName + "-gateway")
227 func removeVirtualService(clientset *versioned.Clientset) {
228 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
229 err := vsClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-vs", metav1.DeleteOptions{})
233 fmt.Println("Deleted VirtualServices nonrtric-istio-" + appName + "-vs")
237 func removeRequestAuthentication(clientset *versioned.Clientset) {
238 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
239 err := raClient.Delete(context.TODO(), "jwt-"+appName, metav1.DeleteOptions{})
243 fmt.Println("Deleted RequestAuthentication jwt-" + appName)
247 func removeAuthorizationPolicy(clientset *versioned.Clientset) {
248 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
249 err := apClient.Delete(context.TODO(), appName+"-policy", metav1.DeleteOptions{})
253 fmt.Println("Deleted AuthorizationPolicy " + appName + "-policy")
257 func removeEnvoyFilter(clientset *versioned.Clientset) {
258 efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
259 err := efClient.Delete(context.TODO(), appName+"-outbound-filter", metav1.DeleteOptions{})
263 fmt.Println("Deleted EnvoyFilter " + appName + "-outbound-filter")
267 func createIstioPolicy(res http.ResponseWriter, req *http.Request) {
268 query := req.URL.Query()
269 realmName := query.Get("realm")
270 appName := query.Get("name")
271 roleName := query.Get("role")
272 methodName := query.Get("method")
273 inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Role: roleName, Method: methodName }
275 clientset := connectToK8s()
276 _, err := createGateway(clientset)
279 fmt.Println(err.Error())
281 _, err := createVirtualService(clientset)
284 fmt.Println(err.Error())
286 _, err := createRequestAuthentication(clientset)
289 fmt.Println(err.Error())
291 _, err := createAuthorizationPolicy(clientset)
294 fmt.Println(err.Error())
296 msg = "Istio rapp security setup successfully"
302 // create response binary data
303 data := []byte(msg) // slice of bytes
304 // write `data` to response
308 func createIstioFilter(res http.ResponseWriter, req *http.Request) {
309 query := req.URL.Query()
310 realmName := query.Get("realm")
311 clientId := query.Get("client")
312 appName := query.Get("name")
313 authType := query.Get("authType")
314 inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Client: clientId, Authenticator: authType}
316 clientset := connectToK8s()
317 _, err := createEnvoyFilter(clientset)
320 fmt.Println(err.Error())
322 // create response binary data
323 data := []byte(msg) // slice of bytes
324 // write `data` to response
328 func removeIstioPolicy(res http.ResponseWriter, req *http.Request) {
329 query := req.URL.Query()
330 appName = query.Get("name")
331 clientset := connectToK8s()
332 removeAuthorizationPolicy(clientset)
333 removeRequestAuthentication(clientset)
334 removeVirtualService(clientset)
335 removeGateway(clientset)
338 func removeIstioFilter(res http.ResponseWriter, req *http.Request) {
339 query := req.URL.Query()
340 appName = query.Get("name")
341 clientset := connectToK8s()
342 removeEnvoyFilter(clientset)
346 createIstioPolicyHandler := http.HandlerFunc(createIstioPolicy)
347 http.Handle("/create-policy", createIstioPolicyHandler)
348 removeIstioPolicyHandler := http.HandlerFunc(removeIstioPolicy)
349 http.Handle("/remove-policy", removeIstioPolicyHandler)
350 createIstioFilterHandler := http.HandlerFunc(createIstioFilter)
351 http.Handle("/create-filter", createIstioFilterHandler)
352 removeIstioFilterHandler := http.HandlerFunc(removeIstioFilter)
353 http.Handle("/remove-filter", removeIstioFilterHandler)
354 http.ListenAndServe(":9000", nil)