feat: create project level authorino authconfig

* Setup namespace annotations for gatewway/host information used by this namesapce
* Generate host pattern based on openshift ingress configs AppDomain
* Generate a default AuthConfig file using ServiceAccounts TokenReview process as auth
* Rely on endpoint in `osh-model-controller` for anonymous access support

releated-to: #58

config/crd/external/authorino.kuadrant.io_authconfigs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: authconfigs.authorino.kuadrant.io
 spec:
   group: authorino.kuadrant.io

config/crd/external/route.openshift.io_routes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.12.1
   name: routes.route.openshift.io
 spec:
   group: route.openshift.io

config/rbac/role.yaml

@@ -27,6 +27,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - maistra.io
   resources:

controllers/enable_authorino.go

@@ -20,7 +20,9 @@ type reconcileFunc func(ctx context.Context, namespace *v1.Namespace) error
 func (r *OpenshiftServiceMeshReconciler) reconcileAuthConfig(ctx context.Context, namespace *v1.Namespace) error {
 	log := r.Log.WithValues("feature", "authorino", "namespace", namespace.Name)
 
-	desiredAuthConfig, err := r.createAuthConfig(namespace, namespace.ObjectMeta.Annotations[AnnotationPublicGatewayExternalHost])
+	desiredAuthConfig, err := r.createAuthConfig(namespace,
+		namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternExternal],
+		namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternInternal])
 	if err != nil {
 		log.Error(err, "Failed creating AuthConfig object")
 
@@ -103,16 +105,7 @@ func (r *OpenshiftServiceMeshReconciler) createAuthConfig(namespace *v1.Namespac
 
 	authConfig.Labels[keyValue[0]] = keyValue[1]
 	authConfig.Spec.Hosts = authHosts
-
-	// Reflects oauth-proxy SAR settings
-	authConfig.Spec.Authorization[0].KubernetesAuthz.ResourceAttributes = &authorino.Authorization_KubernetesAuthz_ResourceAttributes{ //nolint:nosnakecase //reason external library
-		Namespace: authorino.StaticOrDynamicValue{Value: namespace.Name},
-		Group:     authorino.StaticOrDynamicValue{Value: "kubeflow.org"},
-		Resource:  authorino.StaticOrDynamicValue{Value: "notebooks"},
-		Verb:      authorino.StaticOrDynamicValue{Value: "get"},
-	}
-
-	authConfig.Spec.Identity[0].KubernetesAuth.Audiences = getAuthAudience()
+	authConfig.Spec.Identity[0].KubernetesAuth.Audiences = []string{namespace.Name + "-api"}
 
 	return authConfig, nil
 }

controllers/enable_mesh.go

@@ -5,6 +5,7 @@ import (
 	"reflect"
 	"strconv"
 
+	configv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	"github.com/pkg/errors"
 	v1 "k8s.io/api/core/v1"
@@ -120,8 +121,6 @@ func (r *OpenshiftServiceMeshReconciler) findIstioIngress(ctx context.Context) (
 		LabelSelector: labels.SelectorFromSet(labels.Set{"app": "odh-dashboard"}),
 		Namespace:     meshNamespace,
 	}); err != nil {
-		r.Log.Error(err, "Unable to find matching gateway")
-
 		return routev1.RouteList{}, errors.Wrap(err, "unable to find matching gateway")
 	}
 
@@ -136,3 +135,18 @@ func (r *OpenshiftServiceMeshReconciler) findIstioIngress(ctx context.Context) (
 
 	return routes, nil
 }
+
+func (r *OpenshiftServiceMeshReconciler) findAppDomain(ctx context.Context) (string, error) {
+	ingress := configv1.Ingress{}
+
+	err := r.Client.Get(ctx, types.NamespacedName{Name: "cluster"}, &ingress)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to find matching ingress config cluster")
+	}
+
+	if ingress.Spec.AppsDomain != "" {
+		return ingress.Spec.AppsDomain, nil
+	}
+
+	return ingress.Spec.Domain, nil
+}

controllers/init.go

@@ -2,6 +2,7 @@ package controllers
 
 import (
 	authorino "github.com/kuadrant/authorino/api/v1beta1"
+	configv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -14,5 +15,6 @@ func RegisterSchemes(s *runtime.Scheme) {
 	utilruntime.Must(clientgoscheme.AddToScheme(s))
 	utilruntime.Must(maistrav1.AddToScheme(s))
 	utilruntime.Must(routev1.Install(s))
+	utilruntime.Must(configv1.Install(s))
 	utilruntime.Must(authorino.AddToScheme(s))
 }

controllers/mesh_env_config.go

@@ -33,17 +33,6 @@ func getAuthorinoLabel() ([]string, error) {
 	return keyValue, nil
 }
 
-func getAuthAudience() []string {
-	aud := getEnvOr(AuthAudience, "https://kubernetes.default.svc")
-	audiences := strings.Split(aud, ",")
-
-	for i := range audiences {
-		audiences[i] = strings.TrimSpace(audiences[i])
-	}
-
-	return audiences
-}
-
 func getEnvOr(key, defaultValue string) string {
 	if env, defined := os.LookupEnv(key); defined {
 		return env

controllers/metadata_const.go

@@ -1,10 +1,12 @@
 package controllers
 
 const (
-	AnnotationServiceMesh               = "opendatahub.io/service-mesh"
-	AnnotationPublicGatewayName         = "service-mesh.opendatahub.io/public-gateway-name"
-	AnnotationPublicGatewayExternalHost = "service-mesh.opendatahub.io/public-gateway-host-external"
-	AnnotationPublicGatewayInternalHost = "service-mesh.opendatahub.io/public-gateway-host-internal"
-	LabelMaistraGatewayName             = "maistra.io/gateway-name"
-	LabelMaistraGatewayNamespace        = "maistra.io/gateway-namespace"
+	AnnotationServiceMesh                            = "opendatahub.io/service-mesh"
+	AnnotationPublicGatewayName                      = "service-mesh.opendatahub.io/public-gateway-name"
+	AnnotationPublicGatewayExternalHost              = "service-mesh.opendatahub.io/public-gateway-host-external"
+	AnnotationPublicGatewayInternalHost              = "service-mesh.opendatahub.io/public-gateway-host-internal"
+	AnnotationProjectModelGatewayHostPatternExternal = "service-mesh.opendatahub.io/model-gateway-hostpattern-external"
+	AnnotationProjectModelGatewayHostPatternInternal = "service-mesh.opendatahub.io/model-gateway-hostpattern-internal"
+	LabelMaistraGatewayName                          = "maistra.io/gateway-name"
+	LabelMaistraGatewayNamespace                     = "maistra.io/gateway-namespace"
 )

controllers/namespace_updater.go

@@ -12,7 +12,9 @@ import (
 func (r *OpenshiftServiceMeshReconciler) addGatewayAnnotations(ctx context.Context, namespace *v1.Namespace) error {
 	if namespace.ObjectMeta.Annotations[AnnotationPublicGatewayExternalHost] != "" &&
 		namespace.ObjectMeta.Annotations[AnnotationPublicGatewayInternalHost] != "" &&
-		namespace.ObjectMeta.Annotations[AnnotationPublicGatewayName] != "" {
+		namespace.ObjectMeta.Annotations[AnnotationPublicGatewayName] != "" &&
+		namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternExternal] != "" &&
+		namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternInternal] != "" {
 		// If annotation is present we have nothing to do
 		return nil
 	}
@@ -24,9 +26,19 @@ func (r *OpenshiftServiceMeshReconciler) addGatewayAnnotations(ctx context.Conte
 		return err
 	}
 
+	appDomain, err := r.findAppDomain(ctx)
+	if err != nil {
+		r.Log.Error(err, "unable to find app domain")
+
+		return err
+	}
+
 	namespace.ObjectMeta.Annotations[AnnotationPublicGatewayExternalHost] = ExtractHostName(routes.Items[0].Spec.Host)
 	namespace.ObjectMeta.Annotations[AnnotationPublicGatewayInternalHost] = fmt.Sprintf("%s.%s.svc.cluster.local", routes.Items[0].Spec.To.Name, getMeshNamespace())
 
+	namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternExternal] = fmt.Sprintf("*.%s.%s", namespace.Name, appDomain)
+	namespace.ObjectMeta.Annotations[AnnotationProjectModelGatewayHostPatternInternal] = fmt.Sprintf("*.%s.svc.cluster.local", namespace.Name)
+
 	gateway := extractGateway(routes.Items[0].ObjectMeta)
 	if gateway != "" {
 		namespace.ObjectMeta.Annotations[AnnotationPublicGatewayName] = gateway

controllers/project_mesh_controller.go

@@ -28,6 +28,7 @@ type OpenshiftServiceMeshReconciler struct {
 // +kubebuilder:rbac:groups=maistra.io,resources=servicemeshcontrolplanes,verbs=get;list;watch;create;update;patch;use
 // +kubebuilder:rbac:groups=maistra.io,resources=servicemeshcontrolplanes,verbs=get;list;watch;create;update;patch;use
 // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch
+// +kubebuilder:rbac:groups=config.openshift.io,resources=ingresses,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch
 
 // Reconcile ensures that the namespace has all required resources needed to be part of the Service Mesh of Open Data Hub.

controllers/project_mesh_controller_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/opendatahub-io/odh-project-controller/test"
 	. "github.com/opendatahub-io/odh-project-controller/test/cluster"
 	"github.com/opendatahub-io/odh-project-controller/test/labels"
+	configv1 "github.com/openshift/api/config/v1"
 	openshiftv1 "github.com/openshift/api/route/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -33,6 +34,7 @@ var _ = When("Namespace is created", Label(labels.EnvTest), func() {
 		testNs *corev1.Namespace
 		objectCleaner *Cleaner
 		route         *openshiftv1.Route
+		ingressConfig *configv1.Ingress
 	)
 
 	BeforeEach(func() {
@@ -62,13 +64,23 @@ var _ = When("Namespace is created", Label(labels.EnvTest), func() {
 				},
 			},
 		}
+		ingressConfig = &configv1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "cluster",
+			},
+			Spec: configv1.IngressSpec{
+				Domain:     "test.io",
+				AppsDomain: "apps.test.io",
+			},
+		}
 
 		Expect(cli.Create(context.Background(), istioNs)).To(Succeed())
 		Expect(cli.Create(context.Background(), route)).To(Succeed())
+		Expect(cli.Create(context.Background(), ingressConfig)).To(Succeed())
 	})
 
 	AfterEach(func() {
-		objectCleaner.DeleteAll(istioNs, route, testNs)
+		objectCleaner.DeleteAll(istioNs, ingressConfig, route, testNs)
 	})
 
 	Context("enabling service mesh", func() {
@@ -260,8 +272,6 @@ var _ = When("Namespace is created", Label(labels.EnvTest), func() {
 			// when
 			_ = os.Setenv(controllers.AuthorinoLabelSelector, "app=rhods")
 			defer os.Unsetenv(controllers.AuthorinoLabelSelector)
-			_ = os.Setenv(controllers.AuthAudience, "opendatahub.io,foo , bar")
-			defer os.Unsetenv(controllers.AuthAudience)
 
 			Expect(cli.Create(context.Background(), testNs)).To(Succeed())
 
@@ -285,8 +295,6 @@ var _ = When("Namespace is created", Label(labels.EnvTest), func() {
 				Expect(actualAuthConfig.Name).To(Equal(testNs.GetName() + "-protection"))
 				Expect(actualAuthConfig.Labels).To(HaveKeyWithValue("app", "rhods"))
 				Expect(actualAuthConfig.Spec.Hosts).To(Equal(expectedAuthConfig.Spec.Hosts))
-				Expect(actualAuthConfig.Spec.Identity[0].KubernetesAuth.Audiences).
-					To(And(HaveLen(3), ContainElements("opendatahub.io", "foo", "bar")))
 			})
 		})
 

controllers/template/authconfig.yaml

@@ -1,33 +1,74 @@
 apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
-  name: odh-dashboard-protection
+  name: $ODH_NS-protection
   namespace: $ODH_NS
   labels:
     authorino/topic: odh
 spec:
   hosts:
-    - "${ODH_ROUTE}"
+  - "${ODH_ROUTE}"
   identity:
-    - name: kubernetes-users
-      kubernetes:
-        audiences:
-          - "https://kubernetes.default.svc"
+  - name: authorized-service-accounts
+    kubernetes:
+      audiences:
+      - $ODH_NS-api
+  - name: anonymous-grpc
+    priority: 1
+    anonymous: {}
+    when:
+    - selector: context.request.http.headers.mm-vmodel-id
+      operator: matches
+      value: .+
+    extendedProperties:
+    - name: modelid
+      valueFrom:
+        authJSON: context.request.http.headers.mm-vmodel-id
+  - name: anonymous-http
+    priority: 1
+    anonymous: {}
+    when:
+    - selector: context.request.http.headers.mm-vmodel-id
+      operator: matches
+      value: ^$
+    extendedProperties:
+    - name: modelid
+      valueFrom:
+        authJSON: context.request.http.path.@extract:{"sep":"/","pos":2}
+  metadata:
+  - name: access
+    http:
+      endpoint: http://odh-model-controller-metrics-service.opendatahub.svc.cluster.local:8080/model/?ns={context.request.http.host.@extract:{"sep":".","pos":0}}&modelid={auth.identity.modelid}
+    #cache:
+    #  key:
+    #    valueFrom:
+    #      authJSON: {context.request.http.host.@extract:{"sep":".","pos":0}}-{auth.identity.modelid}
+    #  ttl: 300
+    when:
+    - selector: auth.identity.anonymous
+      operator: eq
+      value: "true"
   authorization:
-    - name: k8s-rbac
-      kubernetes:
-        user:
-          valueFrom: { authJSON: auth.identity.username }
-  response:
-    - name: x-auth-data
+    - name: anonymous
+      when:
+      - selector: auth.identity.anonymous
+        operator: eq
+        value: "true"
       json:
-        properties:
-          - name: username
-            valueFrom: { authJSON: auth.identity.username }
+        rules:
+        - selector: auth.metadata.access.anonymous
+          operator: eq
+          value: "true"
   denyWith:
     unauthenticated:
-      message:
-        value: "Access denied"
+      code: 302
+      headers:
+      - name: Location
+        valueFrom:
+          authJSON: http://some-service?redirect_to={context.request.http.path}
     unauthorized:
-      message:
-        value: "Unauthorized"
+      code: 403
+      headers:
+      - name: Location
+        valueFrom:
+          authJSON: http://some-service?redirect_to={context.request.http.path}