|
| 1 | +--- |
| 2 | +description: Protect a service with Authorino by generating and applying an AuthConfig CR |
| 3 | +--- |
| 4 | + |
| 5 | +You are an expert at working with Authorino, a Kubernetes-native authorization service. Your task is to protect a service by creating and applying an AuthConfig custom resource with the specified authentication and authorization rules. |
| 6 | + |
| 7 | +## Task Overview |
| 8 | + |
| 9 | +1. **Check Kubernetes cluster**: Verify that a Kubernetes cluster is accessible via `kubectl` |
| 10 | +2. **Check Authorino installation**: Determine if Authorino is installed and running in the cluster |
| 11 | +3. **Install Authorino if needed**: If not installed, use the Makefile targets to install and deploy Authorino from a local build |
| 12 | +4. **Parse the arguments**: Extract the hostname, authentication rules, and authorization rules from the user's input |
| 13 | +5. **Generate AuthConfig CR**: Create a valid AuthConfig YAML manifest based on the parsed arguments |
| 14 | +6. **Apply to cluster**: Use `kubectl apply` to deploy the AuthConfig to the cluster |
| 15 | + |
| 16 | +## Input Format |
| 17 | + |
| 18 | +The user will provide arguments in this format: |
| 19 | +``` |
| 20 | +/protect-with-authorino <hostname> "<authentication-rules>" "<authorization-rules>" |
| 21 | +``` |
| 22 | + |
| 23 | +**Example:** |
| 24 | +``` |
| 25 | +/protect-with-authorino talker-api.127.0.0.1.nip.io "oidc authentication (issuer url: http://keycloak.keycloak.svc.cluster.local/realms/my-realm)" "'aud' jwt claim must be equal to 'talker-api'" |
| 26 | +``` |
| 27 | + |
| 28 | +## Authentication Rules Parsing |
| 29 | + |
| 30 | +Parse natural language authentication descriptions and map them to AuthConfig authentication specs: |
| 31 | + |
| 32 | +- **"oidc authentication"** or **"jwt authentication"** with **"issuer url: <url>"** → Use `jwt.issuerUrl` |
| 33 | +- **"api key"** with selector/labels → Use `apiKey.selector` |
| 34 | +- **"kubernetes token review"** → Use `kubernetesTokenReview` |
| 35 | +- **"oauth2 token introspection"** with endpoint → Use `oauth2Introspection` |
| 36 | +- **"anonymous access"** → Use `anonymous: {}` |
| 37 | + |
| 38 | +## Authorization Rules Parsing |
| 39 | + |
| 40 | +Parse natural language authorization descriptions and map them to AuthConfig authorization specs: |
| 41 | + |
| 42 | +- **"jwt claim"** checks (e.g., "'aud' must be equal to 'value'") → Use `patternMatching` with CEL predicates like `auth.identity.aud == 'value'` |
| 43 | +- **"opa policy"** → Use `opa.rego` with the provided Rego code |
| 44 | +- **"kubernetes rbac"** → Use `kubernetesSubjectAccessReview` |
| 45 | +- **"pattern matching"** → Use `patternMatching.patterns` with predicates |
| 46 | +- **"all requests allowed"** or no authorization rules → Omit authorization section |
| 47 | + |
| 48 | +## AuthConfig Structure Reference |
| 49 | + |
| 50 | +Use the v1beta3 API version. Structure: |
| 51 | + |
| 52 | +```yaml |
| 53 | +apiVersion: authorino.kuadrant.io/v1beta3 |
| 54 | +kind: AuthConfig |
| 55 | +metadata: |
| 56 | + name: <generated-name> |
| 57 | + namespace: <target-namespace> |
| 58 | +spec: |
| 59 | + hosts: |
| 60 | + - <hostname> |
| 61 | + |
| 62 | + authentication: |
| 63 | + <auth-name>: |
| 64 | + jwt: |
| 65 | + issuerUrl: <url> |
| 66 | + # OR apiKey, kubernetesTokenReview, oauth2Introspection, etc. |
| 67 | + |
| 68 | + authorization: # Optional |
| 69 | + <authz-name>: |
| 70 | + patternMatching: |
| 71 | + patterns: |
| 72 | + - predicate: <cel-expression> |
| 73 | + # OR opa, kubernetesSubjectAccessReview, etc. |
| 74 | +``` |
| 75 | + |
| 76 | +## Implementation Steps |
| 77 | + |
| 78 | +### Step 1: Check Kubernetes Cluster |
| 79 | +```bash |
| 80 | +kubectl cluster-info |
| 81 | +``` |
| 82 | +- If this fails, inform the user that no Kubernetes cluster is accessible |
| 83 | + |
| 84 | +### Step 2: Check Authorino Installation |
| 85 | +```bash |
| 86 | +kubectl get authorino/authorino -n authorino -A 2>/dev/null |
| 87 | +``` |
| 88 | +- If Authorino deployment exists and is running, proceed to Step 4 |
| 89 | +- If not found, proceed to Step 3 |
| 90 | + |
| 91 | +### Step 3: Install Authorino (if needed) |
| 92 | +Use the Makefile targets from the repository: |
| 93 | +```bash |
| 94 | +make install-operator install local-build namespace deploy NAMESPACE=authorino FF=1 |
| 95 | +``` |
| 96 | +This will: |
| 97 | +- Install the Authorino Operator to the current Kubernetes context |
| 98 | +- Build and load the Authorino image |
| 99 | +- Install the Authorino operator |
| 100 | +- Deploy Authorino instance |
| 101 | +- Deploy test apps (including Keycloak if needed) |
| 102 | + |
| 103 | +Wait for installation to complete before proceeding. |
| 104 | + |
| 105 | +### Step 4: Parse Arguments |
| 106 | + |
| 107 | +Extract from the user's input: |
| 108 | +- **Hostname**: First positional argument |
| 109 | +- **Authentication rules**: Second argument (quoted string) |
| 110 | +- **Authorization rules**: Third argument (quoted string, optional) |
| 111 | + |
| 112 | +### Step 5: Generate AuthConfig YAML |
| 113 | + |
| 114 | +Create a valid AuthConfig manifest: |
| 115 | +- **metadata.name**: Generate from hostname (e.g., `talker-api` from `talker-api.127.0.0.1.nip.io`) |
| 116 | +- **metadata.namespace**: Use `authorino` or the namespace where Authorino is installed |
| 117 | +- **spec.hosts**: Array with the provided hostname |
| 118 | +- **spec.authentication**: Map parsed authentication rules to appropriate authentication specs |
| 119 | +- **spec.authorization**: Map parsed authorization rules to appropriate authorization specs (if provided) |
| 120 | + |
| 121 | +### Step 6: Apply AuthConfig |
| 122 | + |
| 123 | +```bash |
| 124 | +kubectl apply -f <authconfig-file>.yaml |
| 125 | +``` |
| 126 | + |
| 127 | +Verify the AuthConfig was created: |
| 128 | +```bash |
| 129 | +kubectl get authconfig -n authorino |
| 130 | +``` |
| 131 | + |
| 132 | +Check the AuthConfig status: |
| 133 | +```bash |
| 134 | +kubectl get authconfig <name> -n authorino -o yaml |
| 135 | +``` |
| 136 | + |
| 137 | +## Important Notes |
| 138 | + |
| 139 | +- **Only use `bash` and `kubectl` tools** - do not use other tools unless absolutely necessary |
| 140 | +- **Always include `FF=1`** for all make target executions that include the `deploy` target, such as `make local-setup`, otherwise Claude CLI will hang waiting for an impossible user input |
| 141 | +- **Generate descriptive names** for authentication and authorization rules (e.g., `oidc-keycloak`, `check-aud-claim`) |
| 142 | +- **Use CEL expressions** for pattern matching predicates (e.g., `auth.identity.aud == 'talker-api'`) |
| 143 | +- **Handle errors gracefully** - if cluster setup fails, provide clear error messages |
| 144 | +- **Validate the AuthConfig** - ensure it's in Ready state before finishing |
| 145 | +- **Provide next steps** - tell the user how to test the protected service |
| 146 | + |
| 147 | +## Example Output |
| 148 | + |
| 149 | +After successful execution, provide: |
| 150 | +1. Confirmation that Authorino is installed and running |
| 151 | +2. The generated AuthConfig YAML (show it to the user) |
| 152 | +3. Confirmation that the AuthConfig was applied successfully |
| 153 | +4. Status of the AuthConfig (Ready/NotReady) |
| 154 | +5. Instructions on how to test (e.g., port-forward commands, curl examples) |
| 155 | + |
| 156 | +## Error Handling |
| 157 | + |
| 158 | +- **No cluster**: Prompt user to ensure `kubectl` is configured or offer to create a local Kind cluster |
| 159 | +- **Authorino installation fails**: Show error logs and suggest manual troubleshooting |
| 160 | +- **Invalid AuthConfig**: Show validation errors from Kubernetes API |
| 161 | +- **AuthConfig not ready**: Show the status conditions and suggest fixes |
| 162 | + |
| 163 | +Remember: Be intelligent about parsing natural language - use context clues and common patterns. If the user's input is ambiguous, make reasonable assumptions and document them in the generated AuthConfig. |
0 commit comments