diff --git a/components/operator/api/formance.com/v1beta1/gateway_types.go b/components/operator/api/formance.com/v1beta1/gateway_types.go index ad8823b507..4f335658fd 100644 --- a/components/operator/api/formance.com/v1beta1/gateway_types.go +++ b/components/operator/api/formance.com/v1beta1/gateway_types.go @@ -60,9 +60,6 @@ type GatewayStatus struct { // Detected http apis. See [GatewayHTTPAPI](#gatewayhttpapi) //+optional SyncHTTPAPIs []string `json:"syncHTTPAPIs"` - // +kubebuilder:default:=false - // Indicates if a [Auth](#auth) module has been detected. - AuthEnabled bool `json:"authEnabled"` } //+kubebuilder:object:root=true @@ -70,7 +67,6 @@ type GatewayStatus struct { //+kubebuilder:resource:scope=Cluster //+kubebuilder:printcolumn:name="Stack",type=string,JSONPath=".spec.stack",description="Stack" //+kubebuilder:printcolumn:name="HTTP APIs",type=string,JSONPath=".status.syncHTTPAPIs",description="Synchronized http apis" -//+kubebuilder:printcolumn:name="Auth enabled",type=string,JSONPath=".status.authEnabled",description="Is authentication enabled" //+kubebuilder:printcolumn:name="Ready",type=string,JSONPath=".status.ready",description="Is ready" //+kubebuilder:printcolumn:name="Info",type=string,JSONPath=".status.info",description="Info" //+kubebuilder:metadata:labels=formance.com/kind=module diff --git a/components/operator/config/crd/bases/formance.com_gateways.yaml b/components/operator/config/crd/bases/formance.com_gateways.yaml index 53564169c1..e44cccb0ec 100644 --- a/components/operator/config/crd/bases/formance.com_gateways.yaml +++ b/components/operator/config/crd/bases/formance.com_gateways.yaml @@ -25,10 +25,6 @@ spec: jsonPath: .status.syncHTTPAPIs name: HTTP APIs type: string - - description: Is authentication enabled - jsonPath: .status.authEnabled - name: Auth enabled - type: string - description: Is ready jsonPath: .status.ready name: Ready @@ -119,10 +115,6 @@ spec: type: object status: properties: - authEnabled: - default: false - description: Indicates if a [Auth](#auth) module has been detected. - type: boolean conditions: items: description: "Condition contains details for one aspect of the current @@ -202,8 +194,6 @@ spec: items: type: string type: array - required: - - authEnabled type: object type: object served: true diff --git a/components/operator/docs/09-Configuration reference/02-Custom Resource Definitions.md b/components/operator/docs/09-Configuration reference/02-Custom Resource Definitions.md index 4589256071..77e3507616 100644 --- a/components/operator/docs/09-Configuration reference/02-Custom Resource Definitions.md +++ b/components/operator/docs/09-Configuration reference/02-Custom Resource Definitions.md @@ -731,7 +731,6 @@ Gateway is the Schema for the gateways API | `ready` _boolean_ | Ready indicates if the resource is seen as completely reconciled | | | | `info` _string_ | Info can contain any additional like reconciliation errors | | | | `syncHTTPAPIs` _string array_ | Detected http apis. See [GatewayHTTPAPI](#gatewayhttpapi) | | | -| `authEnabled` _boolean_ | Indicates if a [Auth](#auth) module has been detected. | false | | #### Ledger diff --git a/components/operator/helm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_gateways.formance.com.yaml b/components/operator/helm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_gateways.formance.com.yaml index 779fc73826..6211aa3243 100644 --- a/components/operator/helm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_gateways.formance.com.yaml +++ b/components/operator/helm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_gateways.formance.com.yaml @@ -25,10 +25,6 @@ spec: jsonPath: .status.syncHTTPAPIs name: HTTP APIs type: string - - description: Is authentication enabled - jsonPath: .status.authEnabled - name: Auth enabled - type: string - description: Is ready jsonPath: .status.ready name: Ready @@ -119,10 +115,6 @@ spec: type: object status: properties: - authEnabled: - default: false - description: Indicates if a [Auth](#auth) module has been detected. - type: boolean conditions: items: description: "Condition contains details for one aspect of the current @@ -202,8 +194,6 @@ spec: items: type: string type: array - required: - - authEnabled type: object type: object served: true diff --git a/components/operator/internal/resources/gateways/Caddyfile.gotpl b/components/operator/internal/resources/gateways/Caddyfile.gotpl index 0aafdef33a..9316309bd5 100644 --- a/components/operator/internal/resources/gateways/Caddyfile.gotpl +++ b/components/operator/internal/resources/gateways/Caddyfile.gotpl @@ -7,20 +7,6 @@ } } {{- $values := . }} -{{- if .Auth }} -(auth) { - auth { - issuer {{ .Auth.Issuer }} - - read_key_set_max_retries 10 - - {{- if .Auth.EnableScopes }} - check_scopes yes - service {args[0]} - {{- end }} - } -} -{{- end }} {{- if .EnableAudit }} (audit) { audit { @@ -58,9 +44,6 @@ # those directives are evaluated matters. So the jwtauth directive must be # ordered. # c.f. https://caddyserver.com/docs/caddyfile/directives#directive-order - {{- if .Auth }} - order auth before basicauth - {{- end }} order versions after metrics {{- if .EnableAudit }} order audit after encode @@ -92,9 +75,6 @@ {{- end }} uri strip_prefix /api/{{ $service.Name }} import cors - {{- if and (not $rule.Secured) $values.Auth }} - import auth {{ $service.Name }} - {{- end }} reverse_proxy {{ $service.Name }}:8080 { header_up Host {upstream_hostport} } diff --git a/components/operator/internal/resources/gateways/caddyfile.go b/components/operator/internal/resources/gateways/caddyfile.go index f3eec1d4ee..6ccc4bc9ab 100644 --- a/components/operator/internal/resources/gateways/caddyfile.go +++ b/components/operator/internal/resources/gateways/caddyfile.go @@ -1,8 +1,6 @@ package gateways import ( - "fmt" - "github.com/formancehq/operator/api/formance.com/v1beta1" "github.com/formancehq/operator/internal/core" "github.com/formancehq/operator/internal/resources/caddy" @@ -10,7 +8,7 @@ import ( ) func CreateCaddyfile(ctx core.Context, stack *v1beta1.Stack, - gateway *v1beta1.Gateway, httpAPIs []*v1beta1.GatewayHTTPAPI, auth *v1beta1.Auth, broker *v1beta1.Broker) (string, error) { + gateway *v1beta1.Gateway, httpAPIs []*v1beta1.GatewayHTTPAPI, broker *v1beta1.Broker) (string, error) { data := map[string]any{ "Services": collectionutils.Map(httpAPIs, func(from *v1beta1.GatewayHTTPAPI) v1beta1.GatewayHTTPAPISpec { @@ -23,12 +21,6 @@ func CreateCaddyfile(ctx core.Context, stack *v1beta1.Stack, "Version": gateway.Spec.Version, }, } - if auth != nil { - data["Auth"] = map[string]any{ - "Issuer": fmt.Sprintf("%s/api/auth", URL(gateway)), - "EnableScopes": auth.Spec.EnableScopes, - } - } // TODO(gfyrag): Check if search is enabled if stack.Spec.EnableAudit && broker != nil { diff --git a/components/operator/internal/resources/gateways/configuration.go b/components/operator/internal/resources/gateways/configuration.go index d5bc6741aa..1173df6ab5 100644 --- a/components/operator/internal/resources/gateways/configuration.go +++ b/components/operator/internal/resources/gateways/configuration.go @@ -8,9 +8,9 @@ import ( ) func createConfigMap(ctx core.Context, stack *v1beta1.Stack, - gateway *v1beta1.Gateway, httpAPIs []*v1beta1.GatewayHTTPAPI, auth *v1beta1.Auth, broker *v1beta1.Broker) (*v1.ConfigMap, error) { + gateway *v1beta1.Gateway, httpAPIs []*v1beta1.GatewayHTTPAPI, broker *v1beta1.Broker) (*v1.ConfigMap, error) { - caddyfile, err := CreateCaddyfile(ctx, stack, gateway, httpAPIs, auth, broker) + caddyfile, err := CreateCaddyfile(ctx, stack, gateway, httpAPIs, broker) if err != nil { return nil, err } diff --git a/components/operator/internal/resources/gateways/init.go b/components/operator/internal/resources/gateways/init.go index ca18c7aabf..1294463e60 100644 --- a/components/operator/internal/resources/gateways/init.go +++ b/components/operator/internal/resources/gateways/init.go @@ -48,15 +48,6 @@ func Reconcile(ctx Context, stack *v1beta1.Stack, gateway *v1beta1.Gateway, vers return httpAPIs[i].Spec.Name < httpAPIs[j].Spec.Name }) - auth := &v1beta1.Auth{} - ok, err := GetIfExists(ctx, stack.Name, auth) - if err != nil { - return err - } - if !ok { - auth = nil - } - var broker *v1beta1.Broker if t, err := brokertopics.Find(ctx, stack, "gateway"); err != nil { return err @@ -69,7 +60,7 @@ func Reconcile(ctx Context, stack *v1beta1.Stack, gateway *v1beta1.Gateway, vers } } - configMap, err := createConfigMap(ctx, stack, gateway, httpAPIs, auth, broker) + configMap, err := createConfigMap(ctx, stack, gateway, httpAPIs, broker) if err != nil { return err } @@ -89,7 +80,6 @@ func Reconcile(ctx Context, stack *v1beta1.Stack, gateway *v1beta1.Gateway, vers gateway.Status.SyncHTTPAPIs = Map(httpAPIs, func(from *v1beta1.GatewayHTTPAPI) string { return from.Spec.Name }) - gateway.Status.AuthEnabled = auth != nil return nil } diff --git a/components/operator/internal/tests/gateway_controller_test.go b/components/operator/internal/tests/gateway_controller_test.go index 574b56e805..80da85c60e 100644 --- a/components/operator/internal/tests/gateway_controller_test.go +++ b/components/operator/internal/tests/gateway_controller_test.go @@ -182,40 +182,6 @@ var _ = Describe("GatewayController", func() { MatchGoldenFile("gateway-controller", "configmap-with-ledger-and-another-service.yaml")) }) }) - Context("Then creating a Auth object", func() { - var ( - databaseSettings *v1beta1.Settings - auth *v1beta1.Auth - ) - BeforeEach(func() { - auth = &v1beta1.Auth{ - ObjectMeta: RandObjectMeta(), - Spec: v1beta1.AuthSpec{ - StackDependency: v1beta1.StackDependency{ - Stack: stack.Name, - }, - }, - } - databaseSettings = settings.New(uuid.NewString(), "postgres.*.uri", "postgresql://localhost", stack.Name) - - Expect(Create(databaseSettings)).To(Succeed()) - Expect(Create(auth)).To(Succeed()) - }) - AfterEach(func() { - Expect(Delete(auth)).To(Succeed()) - Expect(Delete(databaseSettings)).To(Succeed()) - }) - It("Should redeploy the gateway with auth configuration", func() { - Eventually(func(g Gomega) []string { - g.Expect(LoadResource("", gateway.Name, gateway)) - return gateway.Status.SyncHTTPAPIs - }).Should(ContainElements("ledger", "auth")) - cm := &corev1.ConfigMap{} - Expect(LoadResource(stack.Name, "gateway", cm)).To(Succeed()) - Expect(cm.Data["Caddyfile"]).To( - MatchGoldenFile("gateway-controller", "configmap-with-ledger-and-auth.yaml")) - }) - }) Context("With audit enabled", func() { var ( brokerNatsDSNSettings *v1beta1.Settings diff --git a/components/operator/internal/tests/testdata/resources/gateway-controller/configmap-with-ledger-and-auth.yaml b/components/operator/internal/tests/testdata/resources/gateway-controller/configmap-with-ledger-and-auth.yaml deleted file mode 100644 index c6ecbd1f66..0000000000 --- a/components/operator/internal/tests/testdata/resources/gateway-controller/configmap-with-ledger-and-auth.yaml +++ /dev/null @@ -1,71 +0,0 @@ -(cors) { - header { - Access-Control-Allow-Methods "GET,OPTIONS,PUT,POST,DELETE,HEAD,PATCH" - Access-Control-Allow-Headers content-type - Access-Control-Max-Age 100 - Access-Control-Allow-Origin * - } -} -(auth) { - auth { - issuer https://example.net/api/auth - - read_key_set_max_retries 10 - } -} - -{ - - servers { - metrics - } - admin :3080 - - # Many directives manipulate the HTTP handler chain and the order in which - # those directives are evaluated matters. So the jwtauth directive must be - # ordered. - # c.f. https://caddyserver.com/docs/caddyfile/directives#directive-order - order auth before basicauth - order versions after metrics -} - -:8080 { - log { - output stdout - } - handle /api/auth* { - uri strip_prefix /api/auth - import cors - reverse_proxy auth:8080 { - header_up Host {upstream_hostport} - } - } - handle /api/ledger* { - uri strip_prefix /api/ledger - import cors - import auth ledger - reverse_proxy ledger:8080 { - header_up Host {upstream_hostport} - } - } - - handle /versions { - versions { - region "us-west-1" - env "staging" - endpoints { - auth { - http://auth:8080/_info http://auth:8080/_healthcheck - } - ledger { - http://ledger:8080/_info http://ledger:8080/ - } - } - } - } - - # Respond 404 if service does not exists - handle /api/* { - respond "Not Found" 404 - } -} \ No newline at end of file