(#66) Move CUSTOM AuthorizationPolicy to env namespace

It doesn't make sense to link the stage ext authz provider to the
ingress gateway because there can be only one provider per workload.

Link it instead to the backend environment and use the
`security.holos.run/authproxy` label to match the workload.

docs/examples/helpers.cue

@@ -18,7 +18,10 @@ import "encoding/yaml"
 		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
 		Gateway?: [Name=_]: #Gateway & {metadata: name: Name}
 		ConfigMap?: [Name=_]: #ConfigMap & {metadata: name: Name}
-		Deployment?: [_]: #Deployment
+
+		Deployment?: [_]:            #Deployment
+		RequestAuthentication?: [_]: #RequestAuthentication
+		AuthorizationPolicy?: [_]:   #AuthorizationPolicy
 	}
 
 	// apiObjectMap holds the marshalled representation of apiObjects

docs/examples/meshconfig.cue

@@ -36,9 +36,7 @@ package holos
 		headersToUpstreamOnAllow: [
 			"authorization",
 			"path",
-			"x-auth-request-user",
-			"x-auth-request-email",
-			"x-auth-request-access-token",
+			"x-oidc-id-token",
 		]
 		includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
 		includeRequestHeadersInCheck: [

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio-base/istiobase.cue

@@ -8,7 +8,7 @@ spec: components: HelmChartList: [
 		namespace: "istio-system"
 		chart: {
 			name:    "base"
-			version: "1.20.3"
+			version: #IstioVersion
 			repository: {
 				name: "istio"
 				url:  "https://istio-release.storage.googleapis.com/charts"

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istio.cue

@@ -2,7 +2,7 @@ package holos
 
 #HelmChart: {
 	chart: {
-		version: "1.20.3"
+		version: #IstioVersion
 		repository: {
 			name: "istio"
 			url:  "https://istio-release.storage.googleapis.com/charts"

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/values.cni.cue

@@ -126,7 +126,7 @@ package holos
 		hub: "docker.io/istio"
 
 		// Default tag for Istio images.
-		tag: "1.20.3"
+		tag: #IstioVersion
 
 		// Variant of the image to use.
 		// Currently supported are: [debug, distroless]

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/mesh.cue

@@ -1,3 +1,5 @@
 package holos
 
 #InstancePrefix: "prod-mesh"
+
+#IstioVersion: "1.21.0"

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/values.cue

@@ -172,20 +172,14 @@ package holos
 				enabled: true
 				// Indicates whether to enable WebAssembly runtime for stats filter.
 				wasmEnabled: false
-				// overrides stats EnvoyFilter configuration.
-				configOverride: {
-					gateway: {}
-					inboundSidecar: {}
-					outboundSidecar: {}
-				}
 			}
 			// stackdriver filter settings.
 			stackdriver: {
-				enabled:         false
-				logging:         false
-				monitoring:      false
-				topology:        false // deprecated. setting this to true will have no effect, as this option is no longer supported.
-				disableOutbound: false
+				enabled:    false
+				logging:    false
+				monitoring: false
+				topology:   false // deprecated. setting this to true will have no effect, as this option is no longer supported.
+
 				//  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
 
 				configOverride: {}
@@ -248,7 +242,7 @@ package holos
 		// Dev builds from prow are on gcr.io
 		hub: string | *"docker.io/istio"
 		// Default tag for Istio images.
-		tag: string | *"1.20.3"
+		tag: #IstioVersion
 		// Variant of the image to use.
 		// Currently supported are: [debug, distroless]
 		variant: string | *""

docs/examples/platforms/reference/meshconfig.cue

@@ -25,8 +25,7 @@ package holos
 	for Project in projects {
 		if Project.clusters[clusterName] != _|_ {
 			for Stage in Project.stages {
-				let Name = "authproxy-\(Stage.slug)"
-				extensionProviderMap: (Name): #ExtAuthzProxy & {
+				extensionProviderMap: (Stage.extAuthzProviderName): #ExtAuthzProxy & {
 					envoyExtAuthzHttp: service: "authproxy.\(Stage.namespace).svc.cluster.local"
 				}
 			}

docs/examples/platforms/reference/platform_projects.cue

@@ -1,5 +1,7 @@
 package holos
 
+import "encoding/yaml"
+
 // Platform level definition of a project.
 #Project: {
 	name: string
@@ -82,10 +84,15 @@ package holos
 				// Manage httpbin in each environment
 				for Env in project.environments if Env.stage == stage.name {
 					"\(Env.slug)-httpbin": #KubernetesObjects & {
+						let Project = project
 						apiObjectMap: (#APIObjects & {
-							let Project = project
 							apiObjects: (HTTPBIN & {env: Env, project: Project}).apiObjects
 						}).apiObjectMap
+
+						// Manage auth policy in each env
+						apiObjectMap: (#APIObjects & {
+							apiObjects: (AUTHPOLICY & {env: Env, project: Project, servers: GatewayServers[stage.name]}).apiObjects
+						}).apiObjectMap
 					}
 				}
 			}
@@ -123,12 +130,19 @@ let HTTPBIN = {
 	project: #Project
 	env:     #Environment
 	let Name = name
+	let Stage = project.stages[env.stage]
 
 	let Metadata = {
 		name:      Name
 		namespace: env.namespace
 		labels: app: name
 	}
+	let Labels = {
+		"app.kubernetes.io/name":       Name
+		"app.kubernetes.io/instance":   env.slug
+		"app.kubernetes.io/part-of":    env.project
+		"security.holos.run/authproxy": Stage.extAuthzProviderName
+	}
 
 	apiObjects: {
 		Deployment: (Name): #Deployment & {
@@ -136,7 +150,7 @@ let HTTPBIN = {
 
 			spec: selector: matchLabels: Metadata.labels
 			spec: template: {
-				metadata: labels: Metadata.labels & #IstioSidecar
+				metadata: labels: Metadata.labels & #IstioSidecar & Labels
 				spec: securityContext: seccompProfile: type: "RuntimeDefault"
 				spec: containers: [{
 					name:  Name
@@ -203,6 +217,45 @@ let AUTHPROXY = {
 	apiObjects: {
 		// oauth2-proxy
 		ExternalSecret: (Name): metadata: Metadata
+		// Place the ID token in a header that does not conflict with the Authorization header.
+		// Refer to: https://github.com/oauth2-proxy/oauth2-proxy/issues/1877#issuecomment-1364033723
+		ConfigMap: (Name): {
+			metadata: Metadata
+			data: "config.yaml": yaml.Marshal(AuthProxyConfig)
+			let AuthProxyConfig = {
+				injectResponseHeaders: [{
+					name: "x-oidc-id-token"
+					values: [{claim: "id_token"}]
+				}]
+				providers: [{
+					id:                    "Holos Platform"
+					name:                  "Holos Platform"
+					provider:              "oidc"
+					scope:                 "openid profile email groups offline_access urn:zitadel:iam:org:domain:primary:\(project.authProxyOrgDomain)"
+					clientID:              stage.authProxyClientID
+					clientSecretFile:      "/dev/null"
+					code_challenge_method: "S256"
+					loginURLParameters: [{
+						default: ["force"]
+						name: "approval_prompt"
+					}]
+					oidcConfig: {
+						issuerURL: project.authProxyIssuer
+						audienceClaims: ["aud"]
+						emailClaim:  "email"
+						groupsClaim: "groups"
+						userIDClaim: "sub"
+					}
+				}]
+				server: BindAddress: ":4180"
+				upstreamConfig: upstreams: [{
+					id:         "static://200"
+					path:       "/"
+					static:     true
+					staticCode: 200
+				}]
+			}
+		}
 		Deployment: (Name): #Deployment & {
 			metadata: Metadata
 
@@ -219,65 +272,64 @@ let AUTHPROXY = {
 				template: {
 					metadata: labels: Metadata.labels
 					metadata: labels: #IstioSidecar
-					spec: securityContext: seccompProfile: type: "RuntimeDefault"
-					spec: containers: [{
-						image:           "quay.io/oauth2-proxy/oauth2-proxy:v7.4.0"
-						imagePullPolicy: "IfNotPresent"
-						name:            "oauth2-proxy"
-						args: [
-							// callback url is proxy prefix + /callback
-							"--proxy-prefix=" + project.authProxyPrefix,
-							"--email-domain=*",
-							"--session-store-type=redis",
-							"--redis-connection-url=redis://\(RedisMetadata.name):6379",
-							"--cookie-refresh=12h",
-							"--cookie-expire=2160h",
-							"--cookie-secure=true",
-							"--cookie-name=__Secure-\(Name)-\(stage.slug)",
-							"--cookie-samesite=lax",
-							for domain in StageDomains {"--cookie-domain=.\(domain.name)"},
-							for domain in StageDomains {"--whitelist-domain=.\(domain.name)"},
-							"--cookie-csrf-per-request=true",
-							"--cookie-csrf-expire=120s",
-							"--set-authorization-header=false",
-							"--set-xauthrequest=true",
-							"--pass-access-token=true",
-							"--pass-authorization-header=true",
-							"--upstream=static://200",
-							"--reverse-proxy",
-							"--real-client-ip-header=X-Forwarded-For",
-							"--skip-provider-button=true",
-							"--auth-logging",
-							"--provider=oidc",
-							"--scope=openid profile email groups offline_access urn:zitadel:iam:org:domain:primary:\(project.authProxyOrgDomain)",
-							"--client-id=" + stage.authProxyClientID,
-							"--client-secret-file=/dev/null",
-							"--oidc-issuer-url=\(project.authProxyIssuer)",
-							"--code-challenge-method=S256",
-							"--http-address=0.0.0.0:4180",
-							// "--allowed-group=\(project.resourceId):\(stage.name)-access",
-						]
-						env: [{
-							name: "OAUTH2_PROXY_COOKIE_SECRET"
-							// echo '{"cookiesecret":"'$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)'"}' | holos create secret -n dev-holos-system --append-hash=false --data-stdin authproxy
-							valueFrom: secretKeyRef: {
-								key:  "cookiesecret"
-								name: Name
+					spec: {
+						securityContext: seccompProfile: type: "RuntimeDefault"
+						containers: [{
+							image:           "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+							imagePullPolicy: "IfNotPresent"
+							name:            "oauth2-proxy"
+							volumeMounts: [{
+								name:      "config"
+								mountPath: "/config"
+								readOnly:  true
+							}]
+							args: [
+								// callback url is proxy prefix + /callback
+								"--proxy-prefix=" + project.authProxyPrefix,
+								"--email-domain=*",
+								"--session-store-type=redis",
+								"--redis-connection-url=redis://\(RedisMetadata.name):6379",
+								"--cookie-refresh=12h",
+								"--cookie-expire=2160h",
+								"--cookie-secure=true",
+								"--cookie-name=__Secure-\(stage.slug)-\(Name)",
+								"--cookie-samesite=lax",
+								for domain in StageDomains {"--cookie-domain=.\(domain.name)"},
+								for domain in StageDomains {"--cookie-domain=\(domain.name)"},
+								for domain in StageDomains {"--whitelist-domain=.\(domain.name)"},
+								for domain in StageDomains {"--whitelist-domain=\(domain.name)"},
+								"--cookie-csrf-per-request=true",
+								"--cookie-csrf-expire=120s",
+								// will skip authentication for OPTIONS requests
+								"--skip-auth-preflight=true",
+								"--real-client-ip-header=X-Forwarded-For",
+								"--skip-provider-button=true",
+								"--auth-logging",
+								"--alpha-config=/config/config.yaml",
+							]
+							env: [{
+								name: "OAUTH2_PROXY_COOKIE_SECRET"
+								// echo '{"cookiesecret":"'$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)'"}' | holos create secret -n dev-holos-system --append-hash=false --data-stdin authproxy
+								valueFrom: secretKeyRef: {
+									key:  "cookiesecret"
+									name: Name
+								}
+							}]
+							ports: [{
+								containerPort: 4180
+								protocol:      "TCP"
+							}]
+							securityContext: {
+								seccompProfile: type: "RuntimeDefault"
+								allowPrivilegeEscalation: false
+								runAsNonRoot:             true
+								runAsUser:                8192
+								runAsGroup:               8192
+								capabilities: drop: ["ALL"]
 							}
 						}]
-						ports: [{
-							containerPort: 4180
-							protocol:      "TCP"
-						}]
-						securityContext: {
-							seccompProfile: type: "RuntimeDefault"
-							allowPrivilegeEscalation: false
-							runAsNonRoot:             true
-							runAsUser:                8192
-							runAsGroup:               8192
-							capabilities: drop: ["ALL"]
-						}
-					}]
+						volumes: [{name: "config", configMap: name: Name}]
+					}
 				}
 			}
 		}
@@ -349,6 +401,9 @@ let AUTHPROXY = {
 								seccompProfile: type: "RuntimeDefault"
 								allowPrivilegeEscalation: false
 								capabilities: drop: ["ALL"]
+								runAsNonRoot: true
+								runAsUser:    999
+								runAsGroup:   999
 							}
 							volumeMounts: [{
 								mountPath: "/redis-master-data"
@@ -382,3 +437,60 @@ let AUTHPROXY = {
 		}
 	}
 }
+
+// AUTHPOLICY configures the baseline AuthorizationPolicy and RequestAuthentication policy for each stage of each project.
+let AUTHPOLICY = {
+	project: #Project
+	env:     #Environment
+	let Name = "\(stage.slug)-authproxy"
+	let Project = project
+	let stage = project.stages[env.stage]
+	let Env = env
+
+	let Metadata = {
+		name:      string
+		namespace: env.namespace
+		labels: {
+			"app.kubernetes.io/name":     name
+			"app.kubernetes.io/instance": stage.name
+			"app.kubernetes.io/part-of":  stage.project
+		}
+	}
+
+	// Collect all the hosts associated with the stage
+	let Hosts = {
+		for HOST in (#EnvHosts & {project: Project, env: Env}).hosts {
+			(HOST.name): HOST
+		}
+	}
+
+	// HostList is a list of hosts for AuthorizationPolicy rules
+	let HostList = [
+		for host in Hosts {host.name},
+		for host in Hosts {host.name + ":*"},
+	]
+	let MatchLabels = {"security.holos.run/authproxy": stage.extAuthzProviderName}
+
+	apiObjects: {
+		RequestAuthentication: (Name): #RequestAuthentication & {
+			metadata: Metadata & {name: Name}
+			spec: jwtRules: [{
+				audiences: [stage.authProxyClientID]
+				forwardOriginalToken: true
+				fromHeaders: [{name: "x-oidc-id-token"}]
+				issuer: project.authProxyIssuer
+			}]
+			spec: selector: matchLabels: MatchLabels
+		}
+		AuthorizationPolicy: "\(Name)-custom": {
+			metadata: Metadata & {name: "\(Name)-custom"}
+			spec: {
+				action: "CUSTOM"
+				// send the request to the auth proxy
+				provider: name: stage.extAuthzProviderName
+				rules: [{to: [{operation: hosts: HostList}]}]
+				selector: matchLabels: MatchLabels
+			}
+		}
+	}
+}

docs/examples/project_types.cue

@@ -117,6 +117,8 @@ import "strings"
 	stageSegments: [...string] | *[name]
 	// authProxyClientID is the ClientID registered with the oidc issuer.
 	authProxyClientID: string
+	// extAuthzProviderName is the provider name in the mesh config
+	extAuthzProviderName: "\(slug)-authproxy"
 }
 
 #Feature: {

docs/examples/schema.cue

@@ -13,6 +13,8 @@ import (
 	crt "cert-manager.io/certificate/v1"
 	gw "networking.istio.io/gateway/v1beta1"
 	vs "networking.istio.io/virtualservice/v1beta1"
+	ra "security.istio.io/requestauthentication/v1"
+	ap "security.istio.io/authorizationpolicy/v1"
 	pg "postgres-operator.crunchydata.com/postgrescluster/v1beta1"
 )
 
@@ -63,19 +65,21 @@ _apiVersion: "holos.run/v1alpha1"
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
 #ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
 
-#Issuer:          #NamespaceObject & is.#Issuer
-#Role:            #NamespaceObject & rbacv1.#Role
-#RoleBinding:     #NamespaceObject & rbacv1.#RoleBinding
-#ConfigMap:       #NamespaceObject & corev1.#ConfigMap
-#ServiceAccount:  #NamespaceObject & corev1.#ServiceAccount
-#Pod:             #NamespaceObject & corev1.#Pod
-#Service:         #NamespaceObject & corev1.#Service
-#Job:             #NamespaceObject & batchv1.#Job
-#CronJob:         #NamespaceObject & batchv1.#CronJob
-#Deployment:      #NamespaceObject & appsv1.#Deployment
-#VirtualService:  #NamespaceObject & vs.#VirtualService
-#Certificate:     #NamespaceObject & crt.#Certificate
-#PostgresCluster: #NamespaceObject & pg.#PostgresCluster
+#Issuer:                #NamespaceObject & is.#Issuer
+#Role:                  #NamespaceObject & rbacv1.#Role
+#RoleBinding:           #NamespaceObject & rbacv1.#RoleBinding
+#ConfigMap:             #NamespaceObject & corev1.#ConfigMap
+#ServiceAccount:        #NamespaceObject & corev1.#ServiceAccount
+#Pod:                   #NamespaceObject & corev1.#Pod
+#Service:               #NamespaceObject & corev1.#Service
+#Job:                   #NamespaceObject & batchv1.#Job
+#CronJob:               #NamespaceObject & batchv1.#CronJob
+#Deployment:            #NamespaceObject & appsv1.#Deployment
+#VirtualService:        #NamespaceObject & vs.#VirtualService
+#RequestAuthentication: #NamespaceObject & ra.#RequestAuthentication
+#AuthorizationPolicy:   #NamespaceObject & ap.#AuthorizationPolicy
+#Certificate:           #NamespaceObject & crt.#Certificate
+#PostgresCluster:       #NamespaceObject & pg.#PostgresCluster
 
 #Gateway: #NamespaceObject & gw.#Gateway & {
 	metadata: namespace: string | *"istio-ingress"

pkg/version/embedded/patch

@@ -1 +1 @@
-4
+5