(#66) Configure an ExtAuthzProxy provider for each project stage

This patch configures an istio envoyExtAuthzHttp provider for each stage
in each project.  An example provider for the dev stage of the holos
project is `authproxy-dev-holos`

docs/examples/meshconfig.cue

@@ -0,0 +1,52 @@
+package holos
+
+// #MeshConfig provides the istio meshconfig in the config key given projects.
+#MeshConfig: {
+	projects: #Projects
+	// clusterName is the value of the --cluster-name flag, the cluster currently being manged / rendered.
+	clusterName: string | *#ClusterName
+
+	extensionProviderMap: [Name=_]: {
+		name: Name
+	}
+
+	config: {
+		accessLogEncoding: string | *"JSON"
+		accessLogFile:     string | *"/dev/stdout"
+		defaultConfig: {
+			discoveryAddress: string | *"istiod.istio-system.svc:15012"
+			tracing: zipkin: address: string | *"zipkin.istio-system:9411"
+		}
+		defaultProviders: metrics: [...string] | *["prometheus"]
+		enablePrometheusMerge: false | *true
+		rootNamespace:         string | *"istio-system"
+		trustDomain:           string | *"cluster.local"
+		extensionProviders: [for x in extensionProviderMap {x}]
+	}
+}
+
+// #ExtAuthzProxy defines the provider configuration for an istio external authorization auth proxy.
+#ExtAuthzProxy: {
+	name: string
+	envoyExtAuthzHttp: {
+		headersToDownstreamOnDeny: [
+			"content-type",
+			"set-cookie",
+		]
+		headersToUpstreamOnAllow: [
+			"authorization",
+			"path",
+			"x-auth-request-user",
+			"x-auth-request-email",
+			"x-auth-request-access-token",
+		]
+		includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+		includeRequestHeadersInCheck: [
+			"authorization",
+			"cookie",
+			"x-forwarded-for",
+		]
+		port:    4180
+		service: string
+	}
+}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istiod/meshconfig.cue

@@ -2,73 +2,4 @@ package holos
 
 // Istio meshconfig
 // TODO: Generate per-project extauthz providers.
-_MeshConfig: {
-	accessLogEncoding: "JSON"
-	accessLogFile:     "/dev/stdout"
-	defaultConfig: {
-		discoveryAddress: "istiod.istio-system.svc:15012"
-		tracing: zipkin: address: "zipkin.istio-system:9411"
-	}
-	defaultProviders: metrics: ["prometheus"]
-	enablePrometheusMerge: true
-	// For PROXY PROTOCOL at the ingress gateway.
-	gatewayTopology: {
-		numTrustedProxies: 2
-	}
-	rootNamespace: "istio-system"
-	trustDomain:   "cluster.local"
-	extensionProviders: [{
-		name: "cluster-trace"
-		zipkin: {
-			maxTagLength: 56
-			port:         9411
-			service:      "zipkin.istio-system.svc"
-		}
-	}, {
-		name: "cluster-gatekeeper"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
-		}
-	}, {
-		name: "core-authorizer"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.prod-core-system.svc.cluster.local"
-		}
-	}]
-}
+_MeshConfig: (#MeshConfig & {projects: _Projects}).config

docs/examples/platforms/reference/clusters/projects.cue

@@ -21,10 +21,13 @@ _Projects: #Projects & {
 	}
 
 	iam: {
+		resourceId: 260582480954787159
 		clusters: {
 			core1: _
 			core2: _
 		}
+		stages: dev: authProxyClientID:  "260582521186616432@iam"
+		stages: prod: authProxyClientID: "260582633862399090@iam"
 	}
 }
 

docs/examples/platforms/reference/meshconfig.cue

@@ -0,0 +1,35 @@
+package holos
+
+#MeshConfig: {
+	projects:    _
+	clusterName: _
+
+	extensionProviderMap: {
+		"cluster-trace": {
+			zipkin: {
+				maxTagLength: 56
+				port:         9411
+				service:      "zipkin.istio-system.svc"
+			}
+		}
+	}
+
+	config: {
+		// For PROXY PROTOCOL at the ingress gateway.
+		gatewayTopology: {
+			numTrustedProxies: 2
+		}
+	}
+
+	// Configure an ExtAuthzHttp provider for each stage's authproxy
+	for Project in projects {
+		if Project.clusters[clusterName] != _|_ {
+			for Stage in Project.stages {
+				let Name = "authproxy-\(Stage.slug)"
+				extensionProviderMap: (Name): #ExtAuthzProxy & {
+					envoyExtAuthzHttp: service: "authproxy.\(Stage.namespace).svc.cluster.local"
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/platform_projects.cue

@@ -285,18 +285,18 @@ let AUTHPROXY = {
 			metadata: Metadata
 			spec: selector: Metadata.labels
 			spec: ports: [
-				{port: 80, targetPort: 4180, protocol: "TCP", name: "http"},
+				{port: 4180, targetPort: 4180, protocol: "TCP", name: "http"},
 			]
 		}
 		VirtualService: (Name): #VirtualService & {
 			metadata: Metadata
-			spec: hosts: [for host, v in servers {host}]
+			spec: hosts: ["*"]
 			spec: gateways: ["istio-ingress/\(stage.slug)"]
 			spec: http: [{
 				match: [{uri: prefix: project.authProxyPrefix}]
 				route: [{
 					destination: host: Name
-					destination: port: number: 80
+					destination: port: number: 4180
 				}]
 			}]
 		}

pkg/version/embedded/patch

@@ -1 +1 @@
-3
+4