Skip to content

THREESCALE-11884 - Fix unable to set ApplicationKey by ApplicationAuth CR when using OIDC auth #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tkan145 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

THREESCALE-11884 - Fix unable to set ApplicationKey by ApplicationAuth CR when using OIDC auth #1110

tkan145 wants to merge 6 commits into from

Conversation

@tkan145
Copy link
Contributor

@tkan145 tkan145 commented Aug 19, 2025
edited
Loading

What

Close #1078

Fix:

Verification steps:

  • Checkout this branch
  • Prepare local env
make cluster/prepare/local
  • Install APIM
export NAMESPACE=3scale-test

cat << EOF | oc create -f -
kind: Secret
apiVersion: v1
metadata:
  name: s3-credentials
  namespace: $NAMESPACE
data:
  AWS_ACCESS_KEY_ID: c29tZXRoaW5nCg==
  AWS_BUCKET: c29tZXRoaW5nCg==
  AWS_REGION: dXMtd2VzdC0xCg==
  AWS_SECRET_ACCESS_KEY: c29tZXRoaW5nCg==
type: Opaque
EOF

DOMAIN=$(oc get routes console -n openshift-console -o json | jq -r '.status.ingress[0].routerCanonicalHostname' | sed 's/router-default.//')
cat << EOF | oc create -f -
kind: APIManager
apiVersion: apps.3scale.net/v1alpha1
metadata:
  name: 3scale
  namespace: $NAMESPACE
spec:
  wildcardDomain: $DOMAIN
  system:
    fileStorage:
      simpleStorageService:
        configurationSecretRef:
          name: s3-credentials
  externalComponents:
    backend:
      redis: true
    system:
      database: true
      redis: true
EOF
  • Start the operator and wait for all pods to come online
  • Open another terminal and setup the product
DOMAIN=$(oc get routes console -n openshift-console -o json | jq -r '.status.ingress[0].routerCanonicalHostname' | sed 's/router-default.//')
ADMIN_ACCESS_TOKEN=$(oc get secret system-seed -n 3scale-test -o jsonpath="{.data.ADMIN_ACCESS_TOKEN}"| base64 --decode)

cat << EOF |oc apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: mytenant
type: Opaque
stringData:
  adminURL: https://3scale-admin.$DOMAIN
  token: $ADMIN_ACCESS_TOKEN
---
apiVersion: v1
kind: Secret
metadata:
  name: myusername01
stringData:
  password: "123456"
EOF

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: DeveloperUser
metadata:
  name: developeruser01
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  developerAccountRef:
    name: developeraccount01
  email: [email protected]
  passwordCredentialsRef:
    name: myusername01
  providerAccountRef:
    name: mytenant
  role: admin
  username: myusername01
EOF

sleep 30

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: DeveloperAccount
metadata:
  name: developeraccount01
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  orgName: 3scale-test
  providerAccountRef:
    name: mytenant
EOF

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: Backend
metadata:
  name: backend1-cr
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  mappingRules:
    - httpMethod: GET
      increment: 1
      last: true
      metricMethodRef: hits
      pattern: /
    - httpMethod: POST
      pattern : "/"
      metricMethodRef: hits
      increment: 1    
  name: backend1
  privateBaseURL: 'http://httpbin.httpbin.svc:8080'
  systemName: backend1
EOF

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: Product
metadata:
  name: product1-cr
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  applicationPlans:
    plan01:
      name: "My Plan 01"
  deployment:
    apicastHosted:
      authentication:
        userkey:
          authUserKey: token
  name: product1
  backendUsages:
    backend1:
      path: /
  mappingRules:
    - httpMethod: GET
      pattern : "/"
      metricMethodRef: hits
      increment: 1
    - httpMethod: POST
      pattern : "/"
      metricMethodRef: hits
      increment: 1    
EOF

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: Application
metadata:
  name: application-cr
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  accountCR: 
    name: developeraccount01
  applicationPlanName: plan01
  productCR: 
    name: product1-cr
  name: testApp
  description: further testing
EOF

cat << EOF | oc apply -f -
---
apiVersion: capabilities.3scale.net/v1beta1
kind: ProxyConfigPromote
metadata:
  name: product1-v1-production
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  productCRName: product1-cr
  production: true
  deleteCR: true
EOF

sleep 30
echo Product Route: 
echo "https://$(oc get routes | grep product1 |grep production| awk '{print $2}')" 
echo
echo User_key: 
echo $(curl -s -X 'GET' "https://3scale-admin.$DOMAIN/admin/api/applications.xml?access_token=$ADMIN_ACCESS_TOKEN&page=1&per_page=500&service_id=3" -H 'accept: */*' | grep -oP '<user_key>\K[^<]+' | sed 's/\s//g')

NOTE: user_key is set to custom field called token

  • Prepare ApplicationAuth CR
cat << EOF | oc create -f -
kind: Secret
apiVersion: v1
metadata:
  name: auth-secret
  namespace: 3scale-test
data:
  ApplicationID: ''
  ApplicationKey: ''
  UserKey: >-
    dGVzdGtleQo=
type: Opaque
EOF

oc apply -f - <<EOF
---
apiVersion: capabilities.3scale.net/v1beta1
kind: ApplicationAuth
metadata:
  name: applicationauthcr1
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  applicationCRName: application-cr 
  generateSecret: true
  authSecretRef: 
     name: auth-secret-unknown
EOF
  • Check ApplicationAuth CR, you should see the
{                                                         
    "lastTransitionTime": "2025-09-01T07:00:46Z",         
    "message": "Secret \"auth-secret-unknown\" not found",
    "status": "True",                                     
    "type": "Failed"                                      
},
  • Update ApplicationAuth to use correct secret
oc apply -f - <<EOF
---
apiVersion: capabilities.3scale.net/v1beta1
kind: ApplicationAuth
metadata:
  name: applicationauthcr1
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  applicationCRName: application-cr 
  generateSecret: true
  authSecretRef: 
     name: auth-secret
EOF
  • This time it should reconcile successfully
{                                                                                                                                  
    "lastTransitionTime": "2025-09-01T07:03:14Z",                                                                                  
    "message": "Application authentication has been successfully pushed, any further interactions with this CR will not be applied"
    "status": "True",                                                                                                              
    "type": "Ready"                                                                                                                
}
  • Login to admin portal and navigate to
Products -> product1 -> Integration -> Settings

Under API Key (user_key) Basics you shall see Auth user key is set to token

  • Now navigate to
Products -> product1 -> Application -> listing -> testApp

you should see User Key is set to testkey

  • Update auth-secret and set UserKey to testkey2
  • Delete ApplicationAuth CR
  • Recreate ApplicationAuth CR
oc apply -f - <<EOF
---
apiVersion: capabilities.3scale.net/v1beta1
kind: ApplicationAuth
metadata:
  name: applicationauthcr1
  namespace: 3scale-test
  annotations:
    "insecure_skip_verify": "true"
spec:
  applicationCRName: application-cr 
  generateSecret: true
  authSecretRef: 
     name: auth-secret
EOF
  • Once the CR is ready, the user_key in the admin portal should be updated to testkey2

@openshift-ci
Copy link

openshift-ci bot commented Aug 19, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@briangallagher
Copy link
Contributor

briangallagher commented Aug 19, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

@tkan145 tkan145 force-pushed the THREESCALE-11884-application_auth-improve branch from ac974e4 to d5e1b22 Compare September 1, 2025 06:17
@tkan145 tkan145 force-pushed the THREESCALE-11884-application_auth-improve branch from d5e1b22 to 76a21f9 Compare September 1, 2025 07:23
@tkan145 tkan145 marked this pull request as ready for review September 1, 2025 07:23
@tkan145 tkan145 requested a review from a team as a code owner September 1, 2025 07:23
@tkan145 tkan145 changed the title [WIP] THREESCALE-11884 Improve ApplicationAuth CR THREESCALE-11884 - Fix unable to set ApplicationKey by ApplicationAuth CR when using OIDC auth Sep 1, 2025
@tkan145 tkan145 force-pushed the THREESCALE-11884-application_auth-improve branch from 76a21f9 to 27f62bf Compare September 1, 2025 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ApplicationAuth controller is not able to update userkey of Application when product.Spec.AuthUserKey() != nil

2 participants

@tkan145 @briangallagher