From f6ae2fdae7385c7b86d8e9f0192102c4e22c7403 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Mon, 11 Mar 2024 17:25:18 +0100
Subject: [PATCH 1/2] docs: improve demo readme
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 demo/istio/README.md                          | 158 +++++++++++++++++-
 demo/istio/bootstrap.sh                       |   2 -
 ...o-service.yaml => sample-application.yaml} |   0
 3 files changed, 151 insertions(+), 9 deletions(-)
 rename demo/istio/manifests/{echo-service.yaml => sample-application.yaml} (100%)

diff --git a/demo/istio/README.md b/demo/istio/README.md
index b34bc43c..673cefcc 100644
--- a/demo/istio/README.md
+++ b/demo/istio/README.md
@@ -1,22 +1,167 @@
 # Istio Demo 
 
-This Istio Demo is prototype of the kyverno envoy plugin .
+This Istio Demo is prototype of the kyverno envoy plugin.
 
 ## Overview 
 
 The goal of the demo to show user how kyverno-envoy-plugin will work with istio and how it can be used to enforce policies to the traffic between services. The Kyverno-envoy-plugin allows configuring these Envoy proxies to query Kyverno-json for policy decisions on incoming requests.
 
-## Contains
- 
-- A manifests folder with everything we need to run the demo . 
-- bootstrap.sh creates the cluster and installs istio . 
+## Demo instructions
+
+### Required tools
+
+1. [`kind`](https://kind.sigs.k8s.io/)
+1. [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+1. [`helm`](https://helm.sh/docs/intro/install/)
+
+### Create a local cluster and install Istio
+
+The [bootstrap.sh](bootstrap.sh) script contains everything needed to create a local cluster and install Istio.
+
+```console
+# create a local cluster and install istio
+./bootstrap.sh
+```
+
+### Sample application
+
+Manifests for the sample application are available in [sample-application.yaml](manifests/sample-application.yaml).
+
+```console
+# deploy sample application
+kubectl apply -f ./manifests/sample-application.yaml
+```
+
+### Calling the sample application
+
+We are going to call the sample application using a pod in the cluster.
+
+```console
+kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
+
+{
+  "path": "/foo",
+  "headers": {
+    "host": "echo.demo.svc.cluster.local:8080",
+    "user-agent": "Wget",
+    "x-forwarded-proto": "http",
+    "x-request-id": "1badcd84-75eb-4911-9835-b3588e3c5eee",
+    "x-b3-traceid": "904f847c3db71758fa4076e48440800a",
+    "x-b3-spanid": "fa4076e48440800a",
+    "x-b3-sampled": "0"
+  },
+  "method": "GET",
+  "body": "",
+  "fresh": false,
+  "hostname": "echo.demo.svc.cluster.local",
+  "ip": "::ffff:127.0.0.6",
+  "ips": [],
+  "protocol": "http",
+  "query": {},
+  "subdomains": [
+    "svc",
+    "demo",
+    "echo"
+  ],
+  "xhr": false,
+  "os": {
+    "hostname": "echo-6847f9f85-wbgbx"
+  },
+  "connection": {}
+}
+```
+
+### Authorization policy
+
+Now we can deploy an istio `AuthorizationPolicy`:
+
+```console
+# deploy authorisation policy
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: ext-authz
+  namespace: demo
+spec:
+  action: CUSTOM
+  provider:
+    name: kyverno-ext-authz-http
+  rules:
+  - to:
+    - operation:
+        paths: ["/foo"]
+EOF
+```
+
+This policy configures an external service for authorization. Note that the service is not specified directly in the policy but using a `provider.name` field.
+
+The provider will be registered later in the istio config map.
+
+### Calling the sample application again
+
+Calling the sample application again at the `/foo` path will return `403 Forbidden`.
+
+```console
+kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
+wget: server returned error: HTTP/1.1 403 Forbidden
+```
+
+Note that calling another path (like `/bar`) succeeds as it's not part of the policy.
+
+```console
+kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/bar
+
+{
+  "path": "/bar",
+  "headers": {
+    "host": "echo.demo.svc.cluster.local:8080",
+    "user-agent": "Wget",
+    "x-forwarded-proto": "http",
+    "x-request-id": "ca22cf4c-fd28-4dff-94a1-bc0611d710a4",
+    "x-b3-traceid": "202ef8abae854851c12c033ff52252e4",
+    "x-b3-spanid": "c12c033ff52252e4",
+    "x-b3-sampled": "0"
+  },
+  "method": "GET",
+  "body": "",
+  "fresh": false,
+  "hostname": "echo.demo.svc.cluster.local",
+  "ip": "::ffff:127.0.0.6",
+  "ips": [],
+  "protocol": "http",
+  "query": {},
+  "subdomains": [
+    "svc",
+    "demo",
+    "echo"
+  ],
+  "xhr": false,
+  "os": {
+    "hostname": "echo-6847f9f85-wbgbx"
+  },
+  "connection": {}
+}
+```
+
+### Register authorization provider
+
+TODO
+
+### Authorization service
+
+TODO
+
+### Calling the sample application again
+
+TODO
 
 ## Architecture
+
 The below architecture illustrates a scenario where no service mesh or Envoy-like components have been pre-installed or already installed.
 
 ![Architecture](architecture1.png)
 
-
 The below architecture illustrates a scenario where a service mesh or Envoy-like components have been pre-installed or already installed.
 ![Architecture](architecture2.png)
 
@@ -24,4 +169,3 @@ The below architecture illustrates a scenario where a service mesh or Envoy-like
 
 - Istio Authorizationpolicy manifest  to add "extension provider " concept in MeshConfig to specify Where/how to talk to envoy ext-authz service 
 -
--
\ No newline at end of file
diff --git a/demo/istio/bootstrap.sh b/demo/istio/bootstrap.sh
index bef33b2a..5f63a845 100755
--- a/demo/istio/bootstrap.sh
+++ b/demo/istio/bootstrap.sh
@@ -3,7 +3,6 @@
 KIND_IMAGE=kindest/node:v1.29.2
 ISTIO_REPO=https://istio-release.storage.googleapis.com/charts
 ISTIO_NS=istio-system
-ISTIO_INGRESS_NS=istio-ingress
 
 # Create Kind cluster
 kind create cluster --image $KIND_IMAGE --wait 1m --config - <<EOF
@@ -30,4 +29,3 @@ EOF
 # Install Istio components
 helm upgrade --install istio-base       --namespace $ISTIO_NS           --create-namespace --wait --repo $ISTIO_REPO base
 helm upgrade --install istiod           --namespace $ISTIO_NS           --create-namespace --wait --repo $ISTIO_REPO istiod
-helm upgrade --install istio-ingress    --namespace $ISTIO_INGRESS_NS   --create-namespace --wait --repo $ISTIO_REPO gateway
diff --git a/demo/istio/manifests/echo-service.yaml b/demo/istio/manifests/sample-application.yaml
similarity index 100%
rename from demo/istio/manifests/echo-service.yaml
rename to demo/istio/manifests/sample-application.yaml

From 52a3467cfab3d6c934622d06cb1139ed186817a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Mon, 11 Mar 2024 21:53:42 +0100
Subject: [PATCH 2/2] chore: nits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 demo/istio/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/demo/istio/README.md b/demo/istio/README.md
index 673cefcc..774a8e98 100644
--- a/demo/istio/README.md
+++ b/demo/istio/README.md
@@ -37,7 +37,7 @@ kubectl apply -f ./manifests/sample-application.yaml
 We are going to call the sample application using a pod in the cluster.
 
 ```console
-kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
+kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
 
 {
   "path": "/foo",
@@ -103,14 +103,14 @@ The provider will be registered later in the istio config map.
 Calling the sample application again at the `/foo` path will return `403 Forbidden`.
 
 ```console
-kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
+kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --output-document - echo.demo.svc.cluster.local:8080/foo
 wget: server returned error: HTTP/1.1 403 Forbidden
 ```
 
 Note that calling another path (like `/bar`) succeeds as it's not part of the policy.
 
 ```console
-kubectl run test -it --rm --restart=Never --image=busybox --  wget -q --output-document - echo.demo.svc.cluster.local:8080/bar
+kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --output-document - echo.demo.svc.cluster.local:8080/bar
 
 {
   "path": "/bar",