feat: implement API Key Auth security policy

[sanposhiho]

What type of PR is this?

What this PR does / why we need it:

implement API Key Auth security policy.

Which issue(s) this PR fixes:

Fixes #2630

Release Notes: Yes

[zhaohuabing]

Are there any use cases where an API key is authenticated but not allowed to access the targeted Route/Gateway?

[sanposhiho]

A use case I could come up is:

1. the gateway has API Key Auth configured globally. e.g., Credentials has admin: key1 and user: key2.
2. the route also has per-route API Key Auth, and you can define this route is only for admin with AllowedClients.

[zhaohuabing]

In such case, this route should only has admin: key1 credential attached. The HTTPRoute level SP can't use a "global" Credential at the Gateway. This is a design decision of EG that the more specific policy should override the higher level of policy, rather than merging with it.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: admin-route-sp
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: admin-route
  apiKeyAuth:
    credentials:
       name: secret-with-admin-key
    keySources: 
    ...

[sanposhiho]

I see, I missed that point.
But, I'm not sure if it's the best interface for users that have to prepare secret per access group. Also, the same key for each client would be spread across different secrets.

So, I still see the benefit of AllowedClients there; users can have only one secret as a source of keys and they can select which key(s) is enabled on certain routes with AllowedClients.
What do you think?

[zhaohuabing]

users can have only one secret as a source of keys and they can select which key(s) is enabled on certain routes with AllowedClients.

I think your argument kind of makes sense 🙂, but I’d prefer not to include the AllowedClients field in the API for the following reasons:

• Increased Complexity: Adding another field for users to configure complicates the API, making it less intuitive.
• Potential Security Risk: The shared secret may include API keys not authorized to access an HTTPRoute. This poses a security risk, as the owner of an HTTPRoute might inadvertently or intentionally add such keys to AllowedClients.

@envoyproxy/gateway-maintainers please weigh in.

[arkodg]

First of all, if a bad actor has an access to HTTPRoute or associated SecurityPolicy, they can just disable APIKeyAuth to allow access for unintended clients

1. according to EG's design, if the app dev service account can create a SecurityPolicy in the dev namespace where the HTTPRoute also lives, they should be able to override the auth, we are relying on users to set up kube RBAC based on their use case

2. my vote would be to make it look more like basicAuth https://gateway.envoyproxy.io/docs/api/extension_types/#basicauth
   with one field credentials / keyRefs that can hold a list of secrets

3. we need to specify what the secret key and value should look like

[sanposhiho]

Sorry, so what's your suggestion then, whether removing AllowedClients vs not?

[arkodg]

yeah my vote is to rm it, I'll bring this API up in the community meeting tomorrow, to hear more thoughts from the community

[arkodg]

@zhaohuabing and I discussed this in the community meeting today and we prefer if AllowedClients was removed from the initial API. In the future if we want to do API key based Authz, we could enhance then authorization API

gateway/api/v1alpha1/authorization_types.go

Line 55 in d23eab9

type Principal struct {

[sanposhiho]

E2e test passed on my local and opened the PR for the review.

[sanposhiho]

There's a bug that ValidateSecurityPolicy isn't called at all currently.
I sent another PR to patch that, #4987.

[arkodg]

I like OpenAPI's definiton which uses In
https://swagger.io/docs/specification/v3_0/authentication/api-keys/

in:
  type: Header
  name: "x-api-id"

another existing design pattern

the jwt field uses extractFrom https://gateway.envoyproxy.io/docs/api/extension_types/#jwtprovider

[sanposhiho]

Well, generally speaking, I do prefer the current form in this kind of case at API design, especially for better future extensibility; it allows us to add a different structure later, e.g., let's say envoy supports a new key source fetching key from body (which Kong already supports), it might be like:

type KeySource struct {
	Header *string 
	Query *string 
	Cookie *string

	Body *BodyKeySource
}

type BodyKeySource struct {
	BodyType string // yaml or json.
	Field string // where we get API Key from.
}

　

Also, extractFrom actually looks like very similar to KeySource here, are you suggesting renaming it from KeySources to ExtractFrom?

[arkodg]

yeah suggesting we pick a name thats already used in the API / or industry and also try and use a union discriminator i.e.

extractFrom:
  type: Header
  header: <val> 

e.g. https://gateway.envoyproxy.io/docs/api/extension_types/#ratelimitspec
https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1027-api-unions/README.md

[sanposhiho]

Renamed from keySources to extractFrom.

[arkodg]

prefer CredentialRefs []gwapiv1.SecretObjectReference we can start and only support a single entry in the list, but it helps us leave room for expansion

[arkodg]

needs a Type field - Header, QueryParams, Cookie

[arkodg]

prefer QueryParams here

• envoy calls it parameters in some places and queryParameters in some places,
• openAPI calls it query
  https://swagger.io/docs/specification/v3_0/describing-parameters/#query-parameters
• gateway api uses queryParams https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.HTTPRouteMatch

[arkodg]

we should highlight the format of the Secret here , its a map of key - value pairs, is the map key the API Key and the map value the Client ID or vice versa