docs: instructions for Kuadrant users and enhancements

Kuadrant · Oct 25, 2023 · 010e1ec · 010e1ec
1 parent e1d433a
commit 010e1ec
Show file tree

Hide file tree

Showing 34 changed files with 2,056 additions and 933 deletions.
diff --git a/docs/user-guides/anonymous-access.md b/docs/user-guides/anonymous-access.md
@@ -4,7 +4,7 @@ Bypass identity verification or fall back to anonymous access when credentials f
 
 <details>
   <summary>
-    <strong>Authorino features in this guide:</strong>
+    <strong>Authorino capabilities featured in this guide:</strong>
     <ul>
       <li>Identity verification & authentication → <a href="./../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
     </ul>
@@ -17,29 +17,48 @@ Bypass identity verification or fall back to anonymous access when credentials f
 
 ## Requirements
 
-- Kubernetes server
+- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
 
-Create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io):
+If you do not own a Kubernetes server already and just want to try out the steps in this guide, you can create a local containerized cluster by executing the command below. In this case, the main requirement is having [Kind](https://kind.sigs.k8s.io) installed, with either [Docker](https://www.docker.com/) or [Podman](https://podman.io/).
 
 ```sh
 kind create cluster --name authorino-tutorial
 ```
 
-## 1. Install the Authorino Operator
+<br/>
 
-```sh
-curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s
-```
+The next steps walk you through installing Authorino, deploying and configuring a sample service called **Talker API** to be protected by the authorization service.
+
+<table>
+  <thead>
+    <tr>
+      <th>Using Kuadrant</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <p>If you are a user of <a href="https://kuadrant.io">Kuadrant</a> and already have your workload cluster configured and sample service application deployed, as well as your Gateway API network resources applied to route traffic to your service, skip straight to step ❺.</p>
+        <p>At step ❺, instead of creating an <code>AuthConfig</code> custom resource, create a Kuadrant <a href="https://docs.kuadrant.io/kuadrant-operator/doc/reference/authpolicy"><code>AuthPolicy</code></a> one. The schema of the AuthConfig's <code>spec</code> matches the one of the AuthPolicy's, except <code>spec.host</code>, which is not available in the Kuadrant AuthPolicy. Host names in a Kuadrant AuthPolicy are inferred automatically from the Kubernetes network object referred in <code>spec.targetRef</code> and route selectors declared in the policy.</p>
+        <p>For more about using Kuadrant to enforce authorization, check out <a href="https://docs.kuadrant.io/kuadrant-operator/doc/auth">Kuadrant auth</a>.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<br/>
 
-## 2. Deploy the Talker API
+## ❶ Install the Authorino Operator (cluster admin required)
 
-The **Talker API** is just an echo API, included in the Authorino examples. We will use it in this guide as the service to be protected with Authorino.
+The following command will install the [Authorino Operator](http://github.com/kuadrant/authorino-operator) in the Kubernetes cluster. The operator manages instances of the Authorino authorization service.
 
 ```sh
-kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s
 ```
 
-## 3. Deploy Authorino
+## ❷ Deploy Authorino
+
+The following command will request an instance of Authorino as a separate service[^1] that watches for `AuthConfig` resources in the `default` namespace[^2], with TLS disabled[^3].
 
 ```sh
 kubectl apply -f -<<EOF
@@ -57,25 +76,49 @@ spec:
 EOF
 ```
 
-The command above will deploy Authorino as a separate service (as opposed to a sidecar of the protected API and other architectures), in `namespaced` reconciliation mode, and with TLS termination disabled. For other variants and deployment options, check out the [Getting Started](./../getting-started.md#step-request-an-authorino-instance) section of the docs, the [Architecture](./../architecture.md#topologies) page, and the spec for the [`Authorino`](https://github.com/Kuadrant/authorino-operator/blob/main/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml) CRD in the Authorino Operator repo.
+[^1]: In contrast to a dedicated sidecar of the protected service and other architectures. Check out __Architecture > [Topologies](../architecture.md#topologies)__ for all options.
+[^2]: `namespaced` reconciliation mode. See [Cluster-wide vs. Namespaced instances](../architecture.md#cluster-wide-vs-namespaced-instances).
+[^3]: For other variants and deployment options, check out [Getting Started](../getting-started.md#step-request-an-authorino-instance), as well as the [`Authorino`](https://github.com/kuadrant/authorino-operator#the-authorino-custom-resource-definition-crd) CRD specification.
 
-## 4. Setup Envoy
+## ❸ Deploy the Talker API
 
-The following bundle from the Authorino examples (manifest referred in the command below) is to apply Envoy configuration and deploy Envoy proxy, that wire up the Talker API behind the reverse-proxy and external authorization with the Authorino instance.
+The **Talker API** is a simple HTTP service that echoes back in the response whatever it gets in the request. We will use it in this guide as the sample service to be protected by Authorino.
 
-For details and instructions to setup Envoy manually, see _Protect a service > Setup Envoy_ in the [Getting Started](./../getting-started.md#step-setup-envoy) page. For a simpler and straightforward way to manage an API, without having to manually install or configure Envoy and Authorino, check out [Kuadrant](https://github.com/kuadrant).
+```sh
+kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+```
+
+## ❹ Setup Envoy
+
+The following bundle from the Authorino examples deploys the [Envoy](https://envoyproxy.io/) proxy and configuration to wire up the Talker API behind the reverse-proxy, with external authorization enabled with the Authorino instance.[^4]
+
+[^4]: For details and instructions to setup Envoy manually, see _Protect a service > Setup Envoy_ in the [Getting Started](../getting-started.md#step-setup-envoy) page. If you are running your ingress gateway in Kubernetes and wants to avoid setting up and configuring your proxy manually, check out [Kuadrant](https://kuadrant.io).
 
 ```sh
 kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/envoy/envoy-notls-deploy.yaml
 ```
 
-The bundle also creates an `Ingress` with host name `talker-api-authorino.127.0.0.1.nip.io`, but if you are using a local Kubernetes cluster created with Kind, you need to forward requests on port 8000 to inside the cluster in order to actually reach the Envoy service:
+The command above creates an `Ingress` with host name `talker-api.127.0.0.1.nip.io`. If you are using a local Kubernetes cluster created with Kind, forward requests from your local port 8000 to the Envoy service running inside the cluster:
 
 ```sh
-kubectl port-forward deployment/envoy 8000:8000 &
+kubectl port-forward deployment/envoy 8000:8000 2>&1 >/dev/null &
 ```
 
-## 5. Create the `AuthConfig`
+## ❺ Create an `AuthConfig`
+
+Create an Authorino `AuthConfig` custom resource declaring the auth rules to be enforced:
+
+<table>
+  <tbody>
+    <tr>
+      <td>
+        <b><i>Kuadrant users –</i></b>
+        Remember to create an <a href="https://docs.kuadrant.io/kuadrant-operator/doc/reference/authpolicy"><code>AuthPolicy</code></a> instead of an AuthConfig.
+        For more, see <a href="https://docs.kuadrant.io/kuadrant-operator/doc/auth">Kuadrant auth</a>.
+      </td>
+    </tr>
+  </tbody>
+</table>
 
 ```sh
 kubectl apply -f -<<EOF
@@ -85,7 +128,7 @@ metadata:
   name: talker-api-protection
 spec:
   hosts:
-  - talker-api-authorino.127.0.0.1.nip.io
+  - talker-api.127.0.0.1.nip.io
   authentication:
     "public":
       anonymous: {}
@@ -98,10 +141,10 @@ For more sophisticated use cases of anonymous access with Authorino, consider co
 
 Check out the docs for the [Anonymous access](./../features.md#anonymous-access-authenticationanonymous) feature for an example of an `AuthConfig` that falls back to anonymous access when a priority OIDC/JWT-based authentication fails, and enforces a read-only policy in such cases.
 
-## 6. Consume the API
+## ❻ Consume the API
 
 ```sh
-curl http://talker-api-authorino.127.0.0.1.nip.io:8000/hello
+curl http://talker-api.127.0.0.1.nip.io:8000/hello
 # HTTP/1.1 200 OK
 ```
 
@@ -117,9 +160,9 @@ Otherwise, delete the resources created in each step:
 
 ```sh
 kubectl delete authconfig/talker-api-protection
-kubectl delete authorino/authorino
 kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/envoy/envoy-notls-deploy.yaml
 kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+kubectl delete authorino/authorino
 ```
 
 To uninstall the Authorino Operator and manifests (CRDs, RBAC, etc), run:

diff --git a/docs/user-guides/api-key-authentication.md b/docs/user-guides/api-key-authentication.md
@@ -4,46 +4,65 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y
 
 <details>
   <summary>
-    <strong>Authorino features in this guide:</strong>
+    <strong>Authorino capabilities featured in this guide:</strong>
     <ul>
-      <li>Identity verification & authentication → <a href="./../features.md#api-key-authenticationapikey">API key</a></li>
+      <li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
     </ul>
   </summary>
 
   In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`.
 
   API key `Secret`s must also include labels that match the `secretLabelSelector` field of the Authorino instance. See [Resource reconciliation and status update](../architecture.md#resource-reconciliation-and-status-update) for details.
 
-  For further details about Authorino features in general, check the [docs](./../features.md).
+  For further details about Authorino features in general, check the [docs](../features.md).
 </details>
 
 <br/>
 
 ## Requirements
 
-- Kubernetes server
+- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
 
-Create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io):
+If you do not own a Kubernetes server already and just want to try out the steps in this guide, you can create a local containerized cluster by executing the command below. In this case, the main requirement is having [Kind](https://kind.sigs.k8s.io) installed, with either [Docker](https://www.docker.com/) or [Podman](https://podman.io/).
 
 ```sh
 kind create cluster --name authorino-tutorial
 ```
 
-## 1. Install the Authorino Operator
+<br/>
 
-```sh
-curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s
-```
+The next steps walk you through installing Authorino, deploying and configuring a sample service called **Talker API** to be protected by the authorization service.
+
+<table>
+  <thead>
+    <tr>
+      <th>Using Kuadrant</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <p>If you are a user of <a href="https://kuadrant.io">Kuadrant</a> and already have your workload cluster configured and sample service application deployed, as well as your Gateway API network resources applied to route traffic to your service, skip straight to step ❺.</p>
+        <p>At step ❺, instead of creating an <code>AuthConfig</code> custom resource, create a Kuadrant <a href="https://docs.kuadrant.io/kuadrant-operator/doc/reference/authpolicy"><code>AuthPolicy</code></a> one. The schema of the AuthConfig's <code>spec</code> matches the one of the AuthPolicy's, except <code>spec.host</code>, which is not available in the Kuadrant AuthPolicy. Host names in a Kuadrant AuthPolicy are inferred automatically from the Kubernetes network object referred in <code>spec.targetRef</code> and route selectors declared in the policy.</p>
+        <p>For more about using Kuadrant to enforce authorization, check out <a href="https://docs.kuadrant.io/kuadrant-operator/doc/auth">Kuadrant auth</a>.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<br/>
 
-## 2. Deploy the Talker API
+## ❶ Install the Authorino Operator (cluster admin required)
 
-The **Talker API** is just an echo API, included in the Authorino examples. We will use it in this guide as the service to be protected with Authorino.
+The following command will install the [Authorino Operator](http://github.com/kuadrant/authorino-operator) in the Kubernetes cluster. The operator manages instances of the Authorino authorization service.
 
 ```sh
-kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+curl -sL https://raw.githubusercontent.com/Kuadrant/authorino-operator/main/utils/install.sh | bash -s
 ```
 
-## 3. Deploy Authorino
+## ❷ Deploy Authorino
+
+The following command will request an instance of Authorino as a separate service[^1] that watches for `AuthConfig` resources in the `default` namespace[^2], with TLS disabled[^3].
 
 ```sh
 kubectl apply -f -<<EOF
@@ -61,25 +80,49 @@ spec:
 EOF
 ```
 
-The command above will deploy Authorino as a separate service (as opposed to a sidecar of the protected API and other architectures), in `namespaced` reconciliation mode, and with TLS termination disabled. For other variants and deployment options, check out the [Getting Started](./../getting-started.md#step-request-an-authorino-instance) section of the docs, the [Architecture](./../architecture.md#topologies) page, and the spec for the [`Authorino`](https://github.com/Kuadrant/authorino-operator/blob/main/config/crd/bases/operator.authorino.kuadrant.io_authorinos.yaml) CRD in the Authorino Operator repo.
+[^1]: In contrast to a dedicated sidecar of the protected service and other architectures. Check out __Architecture > [Topologies](../architecture.md#topologies)__ for all options.
+[^2]: `namespaced` reconciliation mode. See [Cluster-wide vs. Namespaced instances](../architecture.md#cluster-wide-vs-namespaced-instances).
+[^3]: For other variants and deployment options, check out [Getting Started](../getting-started.md#step-request-an-authorino-instance), as well as the [`Authorino`](https://github.com/kuadrant/authorino-operator#the-authorino-custom-resource-definition-crd) CRD specification.
 
-## 4. Setup Envoy
+## ❸ Deploy the Talker API
 
-The following bundle from the Authorino examples (manifest referred in the command below) is to apply Envoy configuration and deploy Envoy proxy, that wire up the Talker API behind the reverse-proxy and external authorization with the Authorino instance.
+The **Talker API** is a simple HTTP service that echoes back in the response whatever it gets in the request. We will use it in this guide as the sample service to be protected by Authorino.
 
-For details and instructions to setup Envoy manually, see _Protect a service > Setup Envoy_ in the [Getting Started](./../getting-started.md#step-setup-envoy) page. For a simpler and straightforward way to manage an API, without having to manually install or configure Envoy and Authorino, check out [Kuadrant](https://github.com/kuadrant).
+```sh
+kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+```
+
+## ❹ Setup Envoy
+
+The following bundle from the Authorino examples deploys the [Envoy](https://envoyproxy.io/) proxy and configuration to wire up the Talker API behind the reverse-proxy, with external authorization enabled with the Authorino instance.[^4]
+
+[^4]: For details and instructions to setup Envoy manually, see _Protect a service > Setup Envoy_ in the [Getting Started](../getting-started.md#step-setup-envoy) page. If you are running your ingress gateway in Kubernetes and wants to avoid setting up and configuring your proxy manually, check out [Kuadrant](https://kuadrant.io).
 
 ```sh
 kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/envoy/envoy-notls-deploy.yaml
 ```
 
-The bundle also creates an `Ingress` with host name `talker-api-authorino.127.0.0.1.nip.io`, but if you are using a local Kubernetes cluster created with Kind, you need to forward requests on port 8000 to inside the cluster in order to actually reach the Envoy service:
+The command above creates an `Ingress` with host name `talker-api.127.0.0.1.nip.io`. If you are using a local Kubernetes cluster created with Kind, forward requests from your local port 8000 to the Envoy service running inside the cluster:
 
 ```sh
-kubectl port-forward deployment/envoy 8000:8000 &
+kubectl port-forward deployment/envoy 8000:8000 2>&1 >/dev/null &
 ```
 
-## 5. Create the `AuthConfig`
+## ❺ Create an `AuthConfig`
+
+Create an Authorino `AuthConfig` custom resource declaring the auth rules to be enforced:
+
+<table>
+  <tbody>
+    <tr>
+      <td>
+        <b><i>Kuadrant users –</i></b>
+        Remember to create an <a href="https://docs.kuadrant.io/kuadrant-operator/doc/reference/authpolicy"><code>AuthPolicy</code></a> instead of an AuthConfig.
+        For more, see <a href="https://docs.kuadrant.io/kuadrant-operator/doc/auth">Kuadrant auth</a>.
+      </td>
+    </tr>
+  </tbody>
+</table>
 
 ```sh
 kubectl apply -f -<<EOF
@@ -89,7 +132,7 @@ metadata:
   name: talker-api-protection
 spec:
   hosts:
-  - talker-api-authorino.127.0.0.1.nip.io
+  - talker-api.127.0.0.1.nip.io
   authentication:
     "friends":
       apiKey:
@@ -102,7 +145,7 @@ spec:
 EOF
 ```
 
-## 6. Create an API key
+## ❻ Create an API key
 
 ```sh
 kubectl apply -f -<<EOF
@@ -119,25 +162,25 @@ type: Opaque
 EOF
 ```
 
-## 7. Consume the API
+## ❼ Consume the API
 
 With a valid API key:
 
 ```sh
-curl -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello
+curl -H 'Authorization: APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx' http://talker-api.127.0.0.1.nip.io:8000/hello
 # HTTP/1.1 200 OK
 ```
 
 With missing or invalid API key:
 
 ```sh
-curl -H 'Authorization: APIKEY invalid' http://talker-api-authorino.127.0.0.1.nip.io:8000/hello -i
+curl -H 'Authorization: APIKEY invalid' http://talker-api.127.0.0.1.nip.io:8000/hello -i
 # HTTP/1.1 401 Unauthorized
 # www-authenticate: APIKEY realm="friends"
 # x-ext-auth-reason: the API Key provided is invalid
 ```
 
-## 8. Delete an API key (revoke access to the API)
+## ❽ Delete an API key (revoke access to the API)
 
 ```sh
 kubectl delete secret/api-key-1
@@ -155,9 +198,9 @@ Otherwise, delete the resources created in each step:
 
 ```sh
 kubectl delete authconfig/talker-api-protection
-kubectl delete authorino/authorino
 kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/envoy/envoy-notls-deploy.yaml
 kubectl delete -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/talker-api/talker-api-deploy.yaml
+kubectl delete authorino/authorino
 ```
 
 To uninstall the Authorino Operator and manifests (CRDs, RBAC, etc), run: