3 // ========================LICENSE_START=================================
6 // Copyright (C) 2022-2023: Nordix Foundation
8 // Licensed under the Apache License, Version 2.0 (the "License");
9 // you may not use this file except in compliance with the License.
10 // You may obtain a copy of the License at
12 // http://www.apache.org/licenses/LICENSE-2.0
14 // Unless required by applicable law or agreed to in writing, software
15 // distributed under the License is distributed on an "AS IS" BASIS,
16 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 // See the License for the specific language governing permissions and
18 // limitations under the License.
19 // ========================LICENSE_END===================================
26 netv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
27 netv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
28 secv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
29 versioned "istio.io/client-go/pkg/clientset/versioned"
30 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
31 k8Yaml "k8s.io/apimachinery/pkg/util/yaml"
32 "k8s.io/client-go/rest"
33 clientcmd "k8s.io/client-go/tools/clientcmd"
42 NAMESPACE = "istio-nonrtric"
45 type TemplateConfig struct {
58 var inputs TemplateConfig
61 var config *template.Template
63 func connectToK8s() *versioned.Clientset {
64 config, err := rest.InClusterConfig()
66 // fallback to kubeconfig
67 home, exists := os.LookupEnv("HOME")
72 kubeconfig := filepath.Join(home, ".kube", "config")
73 if envvar := os.Getenv("KUBECONFIG"); len(envvar) > 0 {
76 config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
78 log.Fatalln("failed to create K8s config")
82 ic, err := versioned.NewForConfig(config)
84 log.Fatalf("Failed to create istio client: %s", err)
90 func createGateway(clientset *versioned.Clientset) (string, error) {
91 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
92 config = template.Must(template.ParseFiles("./templates/Gateway-template.txt"))
93 var manifest bytes.Buffer
94 err := config.Execute(&manifest, inputs)
99 gt := &netv1beta1.Gateway{}
100 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
102 if err := dec.Decode(>); err != nil {
106 result, err := gtClient.Create(context.TODO(), gt, metav1.CreateOptions{})
112 fmt.Printf("Create Gateway %s \n", result.GetName())
113 return result.GetName(), nil
116 func createVirtualService(clientset *versioned.Clientset) (string, error) {
117 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
118 config = template.Must(template.ParseFiles("./templates/VirtualService-template.txt"))
119 var manifest bytes.Buffer
120 err := config.Execute(&manifest, inputs)
125 vs := &netv1beta1.VirtualService{}
126 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
128 if err := dec.Decode(&vs); err != nil {
132 result, err := vsClient.Create(context.TODO(), vs, metav1.CreateOptions{})
138 fmt.Printf("Create Virtual Service %s \n", result.GetName())
139 return result.GetName(), nil
142 func createRequestAuthentication(clientset *versioned.Clientset) (string, error) {
143 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
144 config = template.Must(template.ParseFiles("./templates/RequestAuthentication-template.txt"))
145 var manifest bytes.Buffer
146 err := config.Execute(&manifest, inputs)
151 ra := &secv1beta1.RequestAuthentication{}
152 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
154 if err := dec.Decode(&ra); err != nil {
158 result, err := raClient.Create(context.TODO(), ra, metav1.CreateOptions{})
164 fmt.Printf("Create Request Authentication %s \n", result.GetName())
165 return result.GetName(), nil
168 func createAuthorizationPolicy(clientset *versioned.Clientset) (string, error) {
169 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
170 config = template.Must(template.ParseFiles("./templates/AuthorizationPolicy-template.txt"))
171 var manifest bytes.Buffer
172 err := config.Execute(&manifest, inputs)
177 ap := &secv1beta1.AuthorizationPolicy{}
178 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
180 if err := dec.Decode(&ap); err != nil {
184 result, err := apClient.Create(context.TODO(), ap, metav1.CreateOptions{})
190 fmt.Printf("Create Authorization Policy %s \n", result.GetName())
191 return result.GetName(), nil
194 func createEnvoyFilter(clientset *versioned.Clientset) (string, error) {
195 efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
196 config = template.Must(template.ParseFiles("./templates/EnvoyFilter-template.txt"))
197 var manifest bytes.Buffer
198 err := config.Execute(&manifest, inputs)
203 ef := &netv1alpha3.EnvoyFilter{}
204 dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(manifest.String())), 1000)
206 if err = dec.Decode(&ef); err != nil {
210 result, err := efClient.Create(context.TODO(), ef, metav1.CreateOptions{})
216 fmt.Printf("Create Envoy Filter %s \n", result.GetName())
217 return result.GetName(), nil
220 func removeGateway(clientset *versioned.Clientset) {
221 gtClient := clientset.NetworkingV1beta1().Gateways(NAMESPACE)
222 err := gtClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-gateway", metav1.DeleteOptions{})
226 fmt.Println("Deleted Gateway nonrtric-istio-" + appName + "-gateway")
230 func removeVirtualService(clientset *versioned.Clientset) {
231 vsClient := clientset.NetworkingV1beta1().VirtualServices(NAMESPACE)
232 err := vsClient.Delete(context.TODO(), "nonrtric-istio-"+appName+"-vs", metav1.DeleteOptions{})
236 fmt.Println("Deleted VirtualServices nonrtric-istio-" + appName + "-vs")
240 func removeRequestAuthentication(clientset *versioned.Clientset) {
241 raClient := clientset.SecurityV1beta1().RequestAuthentications(NAMESPACE)
242 err := raClient.Delete(context.TODO(), "jwt-"+appName, metav1.DeleteOptions{})
246 fmt.Println("Deleted RequestAuthentication jwt-" + appName)
250 func removeAuthorizationPolicy(clientset *versioned.Clientset) {
251 apClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
252 err := apClient.Delete(context.TODO(), appName+"-policy", metav1.DeleteOptions{})
256 fmt.Println("Deleted AuthorizationPolicy " + appName + "-policy")
260 func removeEnvoyFilter(clientset *versioned.Clientset) {
261 efClient := clientset.NetworkingV1alpha3().EnvoyFilters(NAMESPACE)
262 err := efClient.Delete(context.TODO(), appName+"-outbound-filter", metav1.DeleteOptions{})
266 fmt.Println("Deleted EnvoyFilter " + appName + "-outbound-filter")
270 func createIstioPolicy(res http.ResponseWriter, req *http.Request) {
271 query := req.URL.Query()
272 realmName := query.Get("realm")
273 appName := query.Get("name")
274 roleName := query.Get("role")
275 methodName := query.Get("method")
276 inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Role: roleName, Method: methodName}
278 clientset := connectToK8s()
279 _, err := createGateway(clientset)
282 fmt.Println(err.Error())
284 _, err := createVirtualService(clientset)
287 fmt.Println(err.Error())
289 _, err := createRequestAuthentication(clientset)
292 fmt.Println(err.Error())
294 _, err := createAuthorizationPolicy(clientset)
297 fmt.Println(err.Error())
299 msg = "Istio rapp security setup successfully"
305 // create response binary data
306 data := []byte(msg) // slice of bytes
307 // write `data` to response
311 func createIstioFilter(res http.ResponseWriter, req *http.Request) {
312 query := req.URL.Query()
313 realmName := query.Get("realm")
314 clientId := query.Get("client")
315 appName := query.Get("name")
316 authType := query.Get("authType")
317 tlsCrt := query.Get("tlsCrt")
318 tlsKey := query.Get("tlsKey")
319 caCrt := query.Get("caCrt")
320 inputs = TemplateConfig{Name: appName, Namespace: NAMESPACE, Realm: realmName, Client: clientId,
321 Authenticator: authType, TlsCrt: tlsCrt, TlsKey: tlsKey, CaCrt: caCrt}
323 clientset := connectToK8s()
324 _, err := createEnvoyFilter(clientset)
327 fmt.Println(err.Error())
329 // create response binary data
330 data := []byte(msg) // slice of bytes
331 // write `data` to response
335 func removeIstioPolicy(res http.ResponseWriter, req *http.Request) {
336 query := req.URL.Query()
337 appName = query.Get("name")
338 clientset := connectToK8s()
339 removeAuthorizationPolicy(clientset)
340 removeRequestAuthentication(clientset)
341 removeVirtualService(clientset)
342 removeGateway(clientset)
345 func removeIstioFilter(res http.ResponseWriter, req *http.Request) {
346 query := req.URL.Query()
347 appName = query.Get("name")
348 clientset := connectToK8s()
349 removeEnvoyFilter(clientset)
353 createIstioPolicyHandler := http.HandlerFunc(createIstioPolicy)
354 http.Handle("/create-policy", createIstioPolicyHandler)
355 removeIstioPolicyHandler := http.HandlerFunc(removeIstioPolicy)
356 http.Handle("/remove-policy", removeIstioPolicyHandler)
357 createIstioFilterHandler := http.HandlerFunc(createIstioFilter)
358 http.Handle("/create-filter", createIstioFilterHandler)
359 removeIstioFilterHandler := http.HandlerFunc(removeIstioFilter)
360 http.Handle("/remove-filter", removeIstioFilterHandler)
361 http.ListenAndServe(":9000", nil)