From fb3b9a5ea3b07ac4e6c9d26fd7fb05374fce3852 Mon Sep 17 00:00:00 2001
From: David Cheung <davidcheung@live.ca>
Date: Mon, 16 Nov 2020 20:13:48 -0500
Subject: [PATCH] oathkeeper rules

---
 templates/.circleci/config.yml                |  2 +-
 templates/kubernetes/base/auth.yml            | 87 +++++++++++++++++++
 templates/kubernetes/base/kustomization.yml   |  2 +
 .../kubernetes/overlays/production/auth.yml   | 31 +++++++
 .../overlays/production/ingress.yml           |  1 +
 .../overlays/production/kustomization.yml     |  8 +-
 .../kubernetes/overlays/production/pdb.yml    |  1 +
 .../kubernetes/overlays/staging/auth.yml      | 31 +++++++
 .../kubernetes/overlays/staging/ingress.yml   |  1 +
 .../overlays/staging/kustomization.yml        |  7 +-
 zero-module.yml                               |  3 +
 11 files changed, 168 insertions(+), 6 deletions(-)
 create mode 100644 templates/kubernetes/base/auth.yml
 create mode 100644 templates/kubernetes/overlays/production/auth.yml
 create mode 100644 templates/kubernetes/overlays/staging/auth.yml

diff --git a/templates/.circleci/config.yml b/templates/.circleci/config.yml
index c4e4da9..e7e1736 100644
--- a/templates/.circleci/config.yml
+++ b/templates/.circleci/config.yml
@@ -252,7 +252,7 @@ jobs:
             cd kubernetes/overlays/<< parameters.config-environment >>
             IMAGE=<< parameters.account-id >>.dkr.ecr.<< parameters.region >>.amazonaws.com/<< parameters.repo >>
             kustomize edit set image fake-image=${IMAGE}:${VERSION_TAG}
-            kustomize build . | kubectl apply -f - -n $NAMESPACE
+            kustomize build . | kubectl apply -f -
             if ! kubectl -n $NAMESPACE rollout status deployment/$DEPLOYMENT -w --timeout=180s ; then
               echo "$DEPLOYMENT rollout check failed:"
               echo "$DEPLOYMENT deployment:"
diff --git a/templates/kubernetes/base/auth.yml b/templates/kubernetes/base/auth.yml
new file mode 100644
index 0000000..1b02a3d
--- /dev/null
+++ b/templates/kubernetes/base/auth.yml
@@ -0,0 +1,87 @@
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-public
+spec:
+  upstream:
+    url: http://kratos-public.user-auth
+    stripPath: /.ory/kratos/public
+    preserveHost: true
+  match:
+    #url: http://<backend_service_domain>/.ory/kratos/public/<.*>
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-form-data
+spec:
+  upstream:
+    url: http://kratos-admin.user-auth
+    stripPath: /.ory/kratos
+    preserveHost: true
+  match:
+    #url: http://<backend_service_domain>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
+    methods:
+      - GET
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  version: test
+  upstream:
+    url: http://<% .Name %>.<% .Name %>
+    preserveHost: true
+  match:
+    # url: http://<backend_service_domain>/status/<.*>
+    methods:
+      - GET
+      - POST
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  version: test
+  upstream:
+    preserveHost: true
+    url: http://<% .Name %>.<% .Name %>
+    stripPath: /api
+  match:
+    # url: <backend_service_domain>/api/<.*>
+    methods:
+      - GET
+      - POST
+  authenticators:
+    - handler: cookie_session
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+    - handler: header
diff --git a/templates/kubernetes/base/kustomization.yml b/templates/kubernetes/base/kustomization.yml
index a46d9ec..8acec64 100644
--- a/templates/kubernetes/base/kustomization.yml
+++ b/templates/kubernetes/base/kustomization.yml
@@ -1,6 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+namespace: <% .Name %>
+
 resources:
 - deployment.yml
 - service.yml
diff --git a/templates/kubernetes/overlays/production/auth.yml b/templates/kubernetes/overlays/production/auth.yml
new file mode 100644
index 0000000..32ee4e7
--- /dev/null
+++ b/templates/kubernetes/overlays/production/auth.yml
@@ -0,0 +1,31 @@
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-public
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/.ory/kratos/public/<.*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-form-data
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/<(?!(api|\.ory\/kratos)).*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/api/<.*>
diff --git a/templates/kubernetes/overlays/production/ingress.yml b/templates/kubernetes/overlays/production/ingress.yml
index 6f27420..c951d70 100644
--- a/templates/kubernetes/overlays/production/ingress.yml
+++ b/templates/kubernetes/overlays/production/ingress.yml
@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: <% .Name %>
+  namespace: <% .Name %>
   annotations:
     # nginx ingress
     kubernetes.io/ingress.class: nginx
diff --git a/templates/kubernetes/overlays/production/kustomization.yml b/templates/kubernetes/overlays/production/kustomization.yml
index 34662fe..9b80d3f 100644
--- a/templates/kubernetes/overlays/production/kustomization.yml
+++ b/templates/kubernetes/overlays/production/kustomization.yml
@@ -3,11 +3,13 @@ kind: Kustomization
 
 patchesStrategicMerge:
 - deployment.yml
-
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 resources:
 - ../../base
-- ingress.yml
-- pdb.yml
+<%if eq (index .Params `userAuth`) "yes" %>#<% end %>- ingress.yml
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 
 configMapGenerator:
 - name: <% .Name %>-config
diff --git a/templates/kubernetes/overlays/production/pdb.yml b/templates/kubernetes/overlays/production/pdb.yml
index a75a1a4..e640f4e 100644
--- a/templates/kubernetes/overlays/production/pdb.yml
+++ b/templates/kubernetes/overlays/production/pdb.yml
@@ -3,6 +3,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   name: <% .Name %>
+  namespace: <% .Name %>
 spec:
   minAvailable: 2
   selector:
diff --git a/templates/kubernetes/overlays/staging/auth.yml b/templates/kubernetes/overlays/staging/auth.yml
new file mode 100644
index 0000000..7dd0aff
--- /dev/null
+++ b/templates/kubernetes/overlays/staging/auth.yml
@@ -0,0 +1,31 @@
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-public
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/.ory/kratos/public/<.*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: kratos-form-data
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/.ory/kratos/self-service/<(login|registration|recovery|settings)>/flows<.*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(?!(api|\.ory\/kratos)).*>
+---
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/api/<.*>
diff --git a/templates/kubernetes/overlays/staging/ingress.yml b/templates/kubernetes/overlays/staging/ingress.yml
index 156d827..336f091 100644
--- a/templates/kubernetes/overlays/staging/ingress.yml
+++ b/templates/kubernetes/overlays/staging/ingress.yml
@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: <% .Name %>
+  namespace: <% .Name %>
   annotations:
     # nginx ingress
     kubernetes.io/ingress.class: nginx
diff --git a/templates/kubernetes/overlays/staging/kustomization.yml b/templates/kubernetes/overlays/staging/kustomization.yml
index a375f26..d31ed90 100644
--- a/templates/kubernetes/overlays/staging/kustomization.yml
+++ b/templates/kubernetes/overlays/staging/kustomization.yml
@@ -3,10 +3,13 @@ kind: Kustomization
 
 patchesStrategicMerge:
 - deployment.yml
-
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 resources:
 - ../../base
-- ingress.yml
+<%if eq (index .Params `userAuth`) "yes" %>#<% end %>- ingress.yml
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 
 configMapGenerator:
 - name: <% .Name %>-config
diff --git a/zero-module.yml b/zero-module.yml
index c2db2df..4c5174b 100644
--- a/zero-module.yml
+++ b/zero-module.yml
@@ -103,3 +103,6 @@ conditions:
     data:
     - src/middleware/auth
     - src/app/auth
+    - kubernetes/base/auth.yml
+    - kubernetes/overlays/staging/auth.yml
+    - kubernetes/overlays/production/auth.yml