New Access and Cache Architecture

api/v1alpha1/accesstoken_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -42,9 +41,6 @@ const (
 
 // AccessTokenSpec defines the desired state of AccessToken
 type AccessTokenSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// State shows the state of the token (whether you use token or it's just a draft)
 	// Valid values are:
 	// - "Active" (default): uses token in authorization procedure
@@ -53,26 +49,25 @@ type AccessTokenSpec struct {
 	// +optional
 	State AccessTokenState `json:"state,omitempty"`
 
-	// IP Allow List is a list of IP and IP CIDRs that will be tested against X-Forwarded-For
+	// Priority shows the access level of the token
+	// +kubebuilder:default=0
+	// +kubebuilder:validation:Minimum=0
 	// +optional
-	IpAllowList []string `json:"ipAllowList,omitempty"`
+	Priority int `json:"priority,omitempty"`
 
-	// Domain Allow list is a list of Domain glob patterns that will be tested against Referer header
+	// AllowedIPs is a list of IP and IP CIDRs that will be tested against X-Forwarded-For
 	// +optional
-	DomainAllowList []string `json:"domainAllowList,omitempty"`
+	AllowedIPs []string `json:"ipAllowList,omitempty"`
 
-	// Secret Ref points to secret containing the API Key secret
-	// if it exists it will use the token value in it and will create a new secret if not exists
-	TokenSecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+	// AllowedDomains is a list of Domain glob patterns that will be tested against Referer header
+	// +optional
+	AllowedDomains []string `json:"domainAllowList,omitempty"`
 
-	// Priority shows the access level of the token
-	// +kubebuilder:default=0
-	// +kubebuilder:validation:Minimum=0
+	// AllowedWebservices is a list of Webservice that the token has access to
 	// +optional
-	Priority int `json:"priority,omitempty"`
+	AllowedWebservices []*WebserviceReference `json:"allowedWebservices,omitempty"`
 }
 
-// TODO use AccessToken.Metadata.Name as TokenSecretRef
 // TODO next step: create copy of secret in AccessToken's namespace
 
 // AccessTokenStatus defines the observed state of AccessToken

api/v1alpha1/webservice_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -25,9 +26,6 @@ import (
 
 // WebServiceSpec defines the desired state of WebService
 type WebServiceSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// +kubebuilder:default=X-Cerberus-Token
 	// +kubebuilder:validation:Pattern=^(X-[A-Za-z-]*[A-Za-z]|Authorization)$
 	// LookupHeader tells Cerberus which header should be used as the access token for authentication (case-sensitive).
@@ -103,6 +101,27 @@ type WebServiceList struct {
 	Items           []WebService `json:"items"`
 }
 
+type LocalWebserviceReference corev1.LocalObjectReference
+type WebserviceReference corev1.SecretReference
+
+func (w WebserviceReference) LocalName() string {
+	return w.Namespace + "/" + w.Name
+}
+
+func (w LocalWebserviceReference) LocalName(ns string) string {
+	return WebserviceReference{
+		Name:      w.Name,
+		Namespace: ns,
+	}.LocalName()
+}
+
+func (w WebService) LocalName() string {
+	return WebserviceReference{
+		Name:      w.Name,
+		Namespace: w.Namespace,
+	}.LocalName()
+}
+
 func init() {
 	SchemeBuilder.Register(&WebService{}, &WebServiceList{})
 }

api/v1alpha1/webserviceaccessbinding_types.go

@@ -25,14 +25,11 @@ import (
 
 // WebserviceAccessBindingSpec defines the desired state of WebserviceAccessBinding
 type WebserviceAccessBindingSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// Subjects are the name of AccessTokens which the access will be granted to
+	// Subjects are the name of Namespaces which the access will be granted to their tokens
 	Subjects []string `json:"subjects,omitempty"`
 
 	// WebServices are the target service accesses
-	Webservices []string `json:"webservices,omitempty"`
+	Webservices []LocalWebserviceReference `json:"webservices,omitempty"`
 }
 
 // WebserviceAccessBindingStatus defines the observed state of WebserviceAccessBinding

config/crd/bases/cerberus.snappcloud.io_accesstokens.yaml

@@ -35,15 +35,33 @@ spec:
           spec:
             description: AccessTokenSpec defines the desired state of AccessToken
             properties:
+              allowedWebservices:
+                description: AllowedWebservices is a list of Webservice that the token
+                  has access to
+                items:
+                  description: SecretReference represents a Secret Reference. It has
+                    enough information to retrieve secret in any namespace
+                  properties:
+                    name:
+                      description: name is unique within a namespace to reference
+                        a secret resource.
+                      type: string
+                    namespace:
+                      description: namespace defines the space within which the secret
+                        name must be unique.
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               domainAllowList:
-                description: Domain Allow list is a list of Domain glob patterns that
+                description: AllowedDomains is a list of Domain glob patterns that
                   will be tested against Referer header
                 items:
                   type: string
                 type: array
               ipAllowList:
-                description: IP Allow List is a list of IP and IP CIDRs that will
-                  be tested against X-Forwarded-For
+                description: AllowedIPs is a list of IP and IP CIDRs that will be
+                  tested against X-Forwarded-For
                 items:
                   type: string
                 type: array
@@ -52,17 +70,6 @@ spec:
                 description: Priority shows the access level of the token
                 minimum: 0
                 type: integer
-              secretRef:
-                description: Secret Ref points to secret containing the API Key secret
-                  if it exists it will use the token value in it and will create a
-                  new secret if not exists
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               state:
                 description: 'State shows the state of the token (whether you use
                   token or it''s just a draft) Valid values are: - "Active" (default):

config/crd/bases/cerberus.snappcloud.io_webserviceaccessbindings.yaml

@@ -38,15 +38,23 @@ spec:
               WebserviceAccessBinding
             properties:
               subjects:
-                description: Subjects are the name of AccessTokens which the access
-                  will be granted to
+                description: Subjects are the name of Namespaces which the access
+                  will be granted to their tokens
                 items:
                   type: string
                 type: array
               webservices:
                 description: WebServices are the target service accesses
                 items:
-                  type: string
+                  description: LocalObjectReference contains enough information to
+                    let you locate the referenced object inside the same namespace.
+                  properties:
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
                 type: array
             type: object
           status:

config/crd/bases/cerberus.snappcloud.io_webservices.yaml

@@ -51,8 +51,8 @@ spec:
                 type: string
               minimumTokenPriority:
                 default: 0
-                description: MinimumTokenPriority tells Cerberus whether it should
-                  stablish the minimum priority threshold for token authentication
+                description: MinimumTokenPriority tells Cerberus what minimum priority
+                  it should stablish for token authentication
                 minimum: 0
                 type: integer
               upstreamHttpAuth: