prskr/supabase-operator
1
0
Fork 0
Code Issues6 Pull requests Projects Releases7 Packages2 Wiki Activity Actions

fix: route propagation

Browse source
This commit is contained in:
Peter 2025-02-03 15:51:00 +01:00
parent 8066c34eb5
commit 6c61adb1c7
Signed by: prskr
GPG key ID: F56BED6903BC5E37
5 changed files with 45 additions and 50 deletions

2
cmd/control_plane.go
View file

@ -135,7 +135,7 @@ func (cp *controlPlane) Run(ctx context.Context, logger logr.Logger) error {
} }
cacheLoggerInst := cacheLogger(logger.WithName("envoy-snapshot-cache")) cacheLoggerInst := cacheLogger(logger.WithName("envoy-snapshot-cache"))
envoySnapshotCache := cachev3.NewSnapshotCache(true, cachev3.IDHash{}, cacheLoggerInst) envoySnapshotCache := cachev3.NewSnapshotCache(false, cachev3.IDHash{}, cacheLoggerInst)
serverCert, err := cp.ensureControlPlaneTlsCert(ctx, bootstrapClient) serverCert, err := cp.ensureControlPlaneTlsCert(ctx, bootstrapClient)
if err != nil { if err != nil {

2
internal/controller/storage_api_controller_test.go
View file

@ -68,7 +68,7 @@ var _ = Describe("Storage Controller", func() {
}) })
It("should successfully reconcile the resource", func() { It("should successfully reconcile the resource", func() {
By("Reconciling the created resource") By("Reconciling the created resource")
controllerReconciler := &StorageReconciler{ controllerReconciler := &StorageApiReconciler{
Client: k8sClient, Client: k8sClient,
Scheme: k8sClient.Scheme(), Scheme: k8sClient.Scheme(),
} }

2
internal/controlplane/apigateway_controller.go
View file

@ -21,7 +21,6 @@ import (
"fmt" "fmt"
"strconv" "strconv"
"strings" "strings"
"sync/atomic"
"time" "time"
cachev3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3" cachev3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3"
@ -45,7 +44,6 @@ import (
// APIGatewayReconciler reconciles a APIGateway object // APIGatewayReconciler reconciles a APIGateway object
type APIGatewayReconciler struct { type APIGatewayReconciler struct {
initialReconciliation atomic.Bool
client.Client client.Client
Scheme *runtime.Scheme Scheme *runtime.Scheme
Cache cachev3.SnapshotCache Cache cachev3.SnapshotCache

77
internal/controlplane/auth_filters.go
View file

@ -148,12 +148,6 @@ func RBACAllowAllConfig() *rbacv3.RBAC {
} }
func RBACRequireAuthConfig() *rbacv3.RBAC { func RBACRequireAuthConfig() *rbacv3.RBAC {
/*
Identifier: &rbacv3cfg.Principal_SourcedMetadata{
SourcedMetadata: &rbacv3cfg.SourcedMetadata{
MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
MetadataMatcher: &matcherv3.MetadataMatcher{
*/
return &rbacv3.RBAC{ return &rbacv3.RBAC{
Rules: &rbacv3cfg.RBAC{ Rules: &rbacv3cfg.RBAC{
Action: rbacv3cfg.RBAC_ALLOW, Action: rbacv3cfg.RBAC_ALLOW,
@ -167,48 +161,51 @@ func RBACRequireAuthConfig() *rbacv3.RBAC {
OrIds: &rbacv3cfg.Principal_Set{ OrIds: &rbacv3cfg.Principal_Set{
Ids: []*rbacv3cfg.Principal{ Ids: []*rbacv3cfg.Principal{
{ {
Identifier: &rbacv3cfg.Principal_Metadata{ Identifier: &rbacv3cfg.Principal_SourcedMetadata{
Metadata: &matcherv3.MetadataMatcher{ SourcedMetadata: &rbacv3cfg.SourcedMetadata{
Filter: FilterNameJwtAuthn, MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
Path: []*matcherv3.MetadataMatcher_PathSegment{ MetadataMatcher: &matcherv3.MetadataMatcher{
{ Filter: FilterNameJwtAuthn,
Segment: &matcherv3.MetadataMatcher_PathSegment_Key{ Path: []*matcherv3.MetadataMatcher_PathSegment{
Key: "jwt_payload", {
Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
Key: "jwt_payload",
},
},
{
Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
Key: "role",
},
}, },
}, },
{ Value: &matcherv3.ValueMatcher{
Segment: &matcherv3.MetadataMatcher_PathSegment_Key{ MatchPattern: &matcherv3.ValueMatcher_OrMatch{
Key: "role", OrMatch: &matcherv3.OrMatcher{
}, ValueMatchers: []*matcherv3.ValueMatcher{
}, {
}, MatchPattern: &matcherv3.ValueMatcher_StringMatch{
Value: &matcherv3.ValueMatcher{ StringMatch: &matcherv3.StringMatcher{
MatchPattern: &matcherv3.ValueMatcher_OrMatch{ MatchPattern: &matcherv3.StringMatcher_Exact{
OrMatch: &matcherv3.OrMatcher{ Exact: "anon",
ValueMatchers: []*matcherv3.ValueMatcher{ },
{
MatchPattern: &matcherv3.ValueMatcher_StringMatch{
StringMatch: &matcherv3.StringMatcher{
MatchPattern: &matcherv3.StringMatcher_Exact{
Exact: "anon",
}, },
}, },
}, },
}, {
{ MatchPattern: &matcherv3.ValueMatcher_StringMatch{
MatchPattern: &matcherv3.ValueMatcher_StringMatch{ StringMatch: &matcherv3.StringMatcher{
StringMatch: &matcherv3.StringMatcher{ MatchPattern: &matcherv3.StringMatcher_Exact{
MatchPattern: &matcherv3.StringMatcher_Exact{ Exact: "authenticated",
Exact: "authenticated", },
}, },
}, },
}, },
}, {
{ MatchPattern: &matcherv3.ValueMatcher_StringMatch{
MatchPattern: &matcherv3.ValueMatcher_StringMatch{ StringMatch: &matcherv3.StringMatcher{
StringMatch: &matcherv3.StringMatcher{ MatchPattern: &matcherv3.StringMatcher_Exact{
MatchPattern: &matcherv3.StringMatcher_Exact{ Exact: "admin",
Exact: "admin", },
}, },
}, },
}, },

12
internal/controlplane/snapshot.go
View file

@ -156,7 +156,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
}, },
}} }}
if studioListener := s.studioListener(); studioListener != nil { if studioListener := s.studioListener(instance); studioListener != nil {
listeners = append(listeners, studioListener) listeners = append(listeners, studioListener)
} }
@ -176,7 +176,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
)...) )...)
if oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2(); oauth2Spec != nil { if oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2(); oauth2Spec != nil {
if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(); err != nil { if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(instance); err != nil {
return nil, nil, err return nil, nil, err
} else { } else {
clusters = append(clusters, oauth2TokenEndpointCluster) clusters = append(clusters, oauth2TokenEndpointCluster)
@ -350,7 +350,7 @@ func (s *EnvoyServices) apiRouteConfiguration(instance string) *routev3.RouteCon
} }
} }
func (s *EnvoyServices) studioListener() *listenerv3.Listener { func (s *EnvoyServices) studioListener(instance string) *listenerv3.Listener {
if s.Studio == nil { if s.Studio == nil {
return nil return nil
} }
@ -367,7 +367,7 @@ func (s *EnvoyServices) studioListener() *listenerv3.Listener {
Config: &oauth2v3.OAuth2Config{ Config: &oauth2v3.OAuth2Config{
TokenEndpoint: &corev3.HttpUri{ TokenEndpoint: &corev3.HttpUri{
HttpUpstreamType: &corev3.HttpUri_Cluster{ HttpUpstreamType: &corev3.HttpUri_Cluster{
Cluster: dashboardOAuth2ClusterName, Cluster: fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
}, },
Uri: s.Gateway.Spec.DashboardEndpoint.Auth.OAuth2.TokenEndpoint, Uri: s.Gateway.Spec.DashboardEndpoint.Auth.OAuth2.TokenEndpoint,
Timeout: durationpb.New(3 * time.Second), Timeout: durationpb.New(3 * time.Second),
@ -493,7 +493,7 @@ func (s *EnvoyServices) studioRoute(instance string) *routev3.RouteConfiguration
} }
} }
func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error) { func (s *EnvoyServices) oauth2TokenEndpointCluster(instance string) (*clusterv3.Cluster, error) {
oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2() oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2()
parsedTokenEndpoint, err := url.Parse(oauth2Spec.TokenEndpoint) parsedTokenEndpoint, err := url.Parse(oauth2Spec.TokenEndpoint)
if err != nil { if err != nil {
@ -523,7 +523,7 @@ func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error)
} }
cluster := &clusterv3.Cluster{ cluster := &clusterv3.Cluster{
Name: dashboardOAuth2ClusterName, Name: fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
ConnectTimeout: durationpb.New(3 * time.Second), ConnectTimeout: durationpb.New(3 * time.Second),
ClusterDiscoveryType: &clusterv3.Cluster_Type{ ClusterDiscoveryType: &clusterv3.Cluster_Type{
Type: clusterv3.Cluster_LOGICAL_DNS, Type: clusterv3.Cluster_LOGICAL_DNS,