Minimum requirements to contribute to Authorino are:
Authorino's code was originally bundled using the Operator SDK (v1.9.0).
The following tools can be installed as part of the development workflow:
-
Installed with
go install
to the$PROJECT_DIR/bin
directory:- controller-gen: for building custom types and manifests
- Kustomize: for assembling flavoured manifests and installing/deploying
- setup-envtest: for running the tests – extra tools installed to
./testbin
- benchstat: for human-friendly test benchmark reports
- mockgen: to generate mocks for tests – e.g.
./bin/mockgen -source=pkg/auth/auth.go -destination=pkg/auth/mocks/mock_auth.go
- Kind: for deploying a containerized Kubernetes cluster for integration testing purposes
-
Other recommended tools to have installed:
Start by checking the list of issues in GitHub.
In case you want to contribute with an idea for enhancement, a bug fix, or question, please make sure to describe the issue so we can start a conversation together and help you find the best way to get your contribution merged.
Fork/clone the repo:
git clone git@github.com:kuadrant/authorino.git && cd authorino
Download the Golang dependencies:
make vendor
For additional automation provided, check:
make help
Good changes...
- follow the Golang conventions
- have proper test coverage
- address corresponding updates to the docs
- help us fix wherever we failed to do the above 😜
To run the tests:
make test
The following command will:
- Start a local Kubernetes cluster (using Kind)
- Install cert-manager in the cluster
- Install the Authorino Operator and Authorino CRDs
- Build an image of Authorino based on the current branch
- Push the freshly built image to the cluster's registry
- Generate TLS certificates for the Authorino service
- Deploy an instance of Authorino
- Deploy the example application Talker API, a simple HTTP API that echoes back whatever it gets in the request
- Setup Envoy for proxying to the Talker API and using Authorino for external authorization
make local-setup
You will be prompted to edit the Authorino
custom resource.
The main workload composed of Authorino instance and user apps (Envoy, Talker API) will be deployed to the default
Kubernetes namespace.
Once the deployment is ready, you can forward the requests on port 8000 to the Envoy service
kubectl port-forward deployment/envoy 8000:8000 &
Pro tips
- Change the default workload namespace by supplying the
NAMESPACE
argument to yourmake local-setup
and other deployment, apps and local cluster related targets. If the namespace does not exist, it will be created. - Switch to TLS disabled by default when deploying locally by supplying
TLS_ENABLED=0
to yourmake local-setup
andmake deploy
commands. E.g.make local-setup TLS_ENABLED=0
. - Skip being prompted to edit the
Authorino
CR and default to an Authorino deployment with TLS enabled, debug/development log level/mode, and standard name 'authorino', by supplyingFF=1
to yourmake local-setup
andmake deploy
commands. E.g.make local-setup FF=1
- Supply
DEPLOY_IDPS=1
tomake local-setup
andmake user-apps
to deploy Keycloak and Dex to the cluster.DEPLOY_KEYCLOAK
andDEPLOY_DEX
are also available. Read more about additional tools for specific use cases in the section below. - Saving the ID of the process (PID) of the port-forward command spawned in the background can be useful to later kill and restart the process. E.g.
kubectl port-forward deployment/envoy 8000:8000 &;PID=$!
; thenkill $PID
.
Limitador
To deploy Limitador – pre-configured in Envoy for rate-limiting the Talker API to 5 hits per minute per user_id
when available in the cluster workload –, run:
kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/limitador/limitador-deploy.yaml
Keycloak
Authorino examples include a bundle of Keycloak preloaded with the following realm setup:
- Admin console: http://localhost:8080/admin (admin/p)
- Preloaded realm: kuadrant
- Preloaded clients:
- demo: to which API consumers delegate access and therefore the one which access tokens are issued to
- authorino: used by Authorino to fetch additional user info with
client_credentials
grant type - talker-api: used by Authorino to fetch UMA-protected resource data associated with the Talker API
- Preloaded resources:
/hello
/greetings/1
(owned by user john)/greetings/2
(owned by user jane)/goodbye
- Realm roles:
- member (default to all users)
- admin
- Preloaded users:
- john/p (member)
- jane/p (admin)
- peter/p (member, email not verified)
To deploy, run:
kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/keycloak/keycloak-deploy.yaml
Forward local requests to the instance of Keycloak running in the cluster:
kubectl port-forward deployment/keycloak 8080:8080 &
Dex
Authorino examples include a bundle of Dex preloaded with the following setup:
- Preloaded clients:
- demo: to which API consumers delegate access and therefore the one which access tokens are issued to (Client secret: aaf88e0e-d41d-4325-a068-57c4b0d61d8e)
- Preloaded users:
- marta@localhost/password
To deploy, run:
kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/dex/dex-deploy.yaml
Forward local requests to the instance of Dex running in the cluster:
kubectl port-forward deployment/dex 5556:5556 &
a12n-server
Authorino examples include a bundle of a12n-server and corresponding MySQL database, preloaded with the following setup:
- Admin console: http://a12n-server:8531 (admin/123456)
- Preloaded clients:
- service-account-1: to obtain access tokens via
client_credentials
OAuth2 grant type, to consume the Talker API (Client secret: DbgXROi3uhWYCxNUq_U1ZXjGfLHOIM8X3C2bJLpeEdE); includes metadata privilege:{ "talker-api": ["read"] }
that can be used to write authorization policies - talker-api: to authenticate to the token introspect endpoint (Client secret: V6g-2Eq2ALB1_WHAswzoeZofJ_e86RI4tdjClDDDb4g)
- service-account-1: to obtain access tokens via
To deploy, run:
kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/a12n-server/a12n-server-deploy.yaml
Forward local requests to the instance of a12n-server running in the cluster:
kubectl port-forward deployment/a12n-server 8531:8531 &
Re-build and rollout latest Authorino image:
make local-rollout
If you made changes to the CRD between iterations, re-install by running:
make install
The following command deletes the entire Kubernetes cluster started with Kind:
make local-cleanup
All commits to be accepted to Authorino's code are required to be signed. Refer to this page about signing your commits.
A few guidelines for adding logging messages in your code:
- Make sure you understand Authorino's Logging architecture and policy regarding log levels, log modes, tracing IDs, etc.
- Respect controller-runtime's Logging Guidelines.
- Do not add sensitive data to your
info
log messages; instead, redact all sensitive data in your log messages or usedebug
log level by mutating the logger withV(1)
before outputting the message.
Here in the repo:
Other repos:
#kuadrant channel on kubernetes.slack.com.