feat: readme and example

Author: airycanon

.dockerignore

@@ -0,0 +1,2 @@
+/.idea
+/target

README.md

@@ -9,27 +9,202 @@ Auth-Bridge is an open-source project that provides proxy capabilities for Kuber
 - Policy-based automatic credential injection
 - Flexible proxy configuration based on [Open Policy Agent](https://www.openpolicyagent.org).
 
+## Prepare
+Before installing Auth-Bridge, ensure you have the following prerequisites:
+
+### A Kubernetes cluster
+You can use [kind](https://kind.sigs.k8s.io) for local development.   
+Alternatively [OrbStack](https://orbstack.dev) provides a lightweight Kubernetes environment.
+
+
+### Install cert-manager
+```shell
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
+```
+
+### Install skaffold
+```bash
+curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \
+sudo install skaffold /usr/local/bin/
+```
+
 ## Installation
 
 ```bash
-# Installation instructions to be added
+skaffold deploy
 ```
 
 ## Configuration
 
-Auth-Bridge is configured using a YAML file. Here's a basic configuration example:
+Auth-Bridge is configured by ProxyPolicy CRD. Here's a basic configuration example:
 
 ```yaml
-# Configuration example to be added
+apiVersion: auth-bridge.dev/v1alpha1
+kind: ProxyPolicy
+metadata:
+  name: basic-auth
+  namespace: default
+spec:
+  auth:
+    method: basicAuth
+    secret:
+      reference:
+        name: basic-auth
+        namespace: <secret namespace>
+  rules:
+    - name: basic-rule
+      validate: | 
+        package proxy
+        
+        default allow = true
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+  namespace: default
+type: Opaque
+stringData:
+  username: username
+  password: password
 ```
 
+## Configuration
+
+Auth-Bridge is configured by ProxyPolicy and Secret. Ensure that your ProxyPolicy and associated Secret are correctly configured based on your chosen authentication method and validation rules.
+
+Here's a basic configuration example:
+
+```yaml
+apiVersion: auth-bridge.dev/v1alpha1
+kind: ProxyPolicy
+metadata:
+  name: basic-auth
+  namespace: default
+spec:
+  auth:
+    method: basicAuth
+    secret:
+      reference:
+        name: basic-auth
+        namespace: <secret namespace>
+  rules:
+    - name: basic-rule
+      validate: | 
+        package proxy
+        
+        default allow = true
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+  namespace: default
+type: Opaque
+stringData:
+  username: username
+  password: password
+```
+
+### Field Definition
+
+* `auth.method`
+   This field specifies the authentication method to be used. It can be set to either:
+    - `basicAuth`: For basic authentication using a username and password.
+    - `bearerToken`: For authentication using a bearer token.
+
+* `auth.secret.reference`
+   This field refers to the Kubernetes Secret containing the authentication credentials.
+    - For `basicAuth`, the referenced Secret data must contain `username` and `password`
+    - For `bearerToken`, the referenced Secret data must contain `token`
+
+* `rules.validate`:
+   This field contains the Open Policy Agent (OPA) validation rule. The OPA script must include a boolean variable 
+   named `allow`, which determines whether the secret should be injected during proxying based on this rule. For example:
+
+     ```
+     package proxy
+
+     default allow = false
+
+     allow {
+       input.uri == "example.com"
+     }
+     ```
+  
+### Advanced
+The OPA script also has access to an input object that contains information about the target request and the pod.
+You can use input.<field> in your OPA script to make decisions. The available fields include:
+
+- input.uri: The URI of the target request
+- input.query: The query parameters of the target request
+- input.body: The body of the target request
+- input.meta: Metadata of the pod making the request
+
+In this example, the secret will only be injected if the request host is "example.com".
+
+      ```
+      package proxy
+        
+      default allow = false
+        
+      allow {
+        contains(input.uri, "example.com")
+        input.meta.namespace == "allowed-namespace"
+        input.query.action == "read"
+      }
+     ```
+
 ## Usage
+Using Auth-Bridge involves several key steps:
 
-1. Deploy Auth-Bridge in your Kubernetes cluster
-2. Configure your proxy policies and credentials
-3. Set the appropriate environment variables or annotations in the Pods that require proxy access
+### Configure ProxyPolicy
+Create a ProxyPolicy resource to define your proxy rules:
+```yaml
+apiVersion: auth-bridge.dev/v1alpha1
+kind: ProxyPolicy
+metadata:
+  name: proxy-policy
+spec:
+  auth:
+    method: basicAuth
+    secret:
+      reference:
+        name: <secret name>
+        namespace: <secret namespace>
+  rules:
+    - name: <rule name>
+      validate: <rule opa>
+```
+
+### Create Secret
+
+Create a Secret with correct credentials based on your policy auth method: 
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: credentials
+  namespace: default
+type: Opaque
+stringData:
+  username: <username>
+  password: <password>
+```
+
+### Set proxy
+To enable the Auth-Bridge proxy, set the following environment variables for your application:
+```shell
+HTTP_PROXY=http://auth-bridge-proxy.auth-bridge:80
+HTTPS_PROXY=http://auth-bridge-proxy.auth-bridge:80
+http_proxy=http://auth-bridge-proxy.auth-bridge:80
+https_proxy=http://auth-bridge-proxy.auth-bridge:80
+```
+the proxy host `auth-bridge-proxy.auth-bridge` here follows the Kubernetes service naming convention:`<service-name>.<namespace>`
 
-For detailed usage instructions, please refer to our [documentation](#) (link to be added).
+For a more detailed demonstration of how these steps come together, please refer to the [examples](tree/@/examples
+).
 
 ## Contributing
 

config/deploy/daemonset.yaml

@@ -15,7 +15,7 @@ spec:
         control-plane: auth-bridge
     spec:
       containers:
-        - image: auth-bridge:v1
+        - image: auth-bridge:latest
           name: proxy
           command:
             - auth-bridge

examples/basic-auth/nginx.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config
+  namespace: auth-bridge-example
+data:
+  nginx.conf: |
+    events {
+      worker_connections 1024;
+    }
+    http {
+      server {
+        listen 80;
+        server_name localhost;
+
+        location /auth {
+            auth_basic "Restricted Area";
+            auth_basic_user_file /etc/nginx/.htpasswd;
+            root /usr/share/nginx/html;
+            try_files /auth.html =404;
+        }
+
+        location /no-auth {
+            auth_basic off;
+            root /usr/share/nginx/html;
+            try_files /no-auth.html =404;
+        }
+      }
+    }
+  no-auth.html: |
+    Hello from no-auth path
+  auth.html: |
+    Hello from auth path
+  .htpasswd: |
+    auth-user:$1$FDNvyIWe$pMX38FS311281uVenqcyi0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx
+  namespace: auth-bridge-example
+spec:
+  containers:
+    - name: nginx
+      image: nginx:alpine
+      ports:
+        - containerPort: 80
+      volumeMounts:
+        - name: nginx-config
+          mountPath: /etc/nginx/nginx.conf
+          subPath: nginx.conf
+        - name: nginx-config
+          mountPath: /etc/nginx/.htpasswd
+          subPath: .htpasswd
+        - name: nginx-config
+          mountPath: /usr/share/nginx/html/auth.html
+          subPath: auth.html
+        - name: nginx-config
+          mountPath: /usr/share/nginx/html/no-auth.html
+          subPath: no-auth.html
+  volumes:
+    - name: nginx-config
+      configMap:
+        name: nginx-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service
+  namespace: auth-bridge-example
+spec:
+  selector:
+    app: nginx

examples/basic-auth/policy.yaml

@@ -0,0 +1,35 @@
+apiVersion: auth-bridge.dev/v1alpha1
+kind: ProxyPolicy
+metadata:
+  name: basic-auth
+spec:
+  auth:
+    method: basicAuth
+    secret:
+      reference:
+        name: basic-auth
+        namespace: auth-bridge-example
+  rules:
+    - name: host-match
+      validate: |
+        package proxy
+        
+        default host = "nginx-service.auth-bridge-example"
+        default allowed = false
+        
+        allowed {
+          contains(input.uri, host)
+        }
+        
+        message := "policy does not contain host" {
+          contains(input.uri, host)
+        }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+  namespace: auth-bridge-example
+stringData:
+  username: auth-user
+  password: auth-password

skaffold.yaml

@@ -10,4 +10,4 @@ build:
   artifacts:
     - image: auth-bridge
       docker:
-        dockerfile: Dockerfile
+        dockerfile: Dockerfile

src/handlers/multi.rs

@@ -17,14 +17,21 @@ impl MultiHandler {
 }
 
 impl HttpHandler for MultiHandler {
-    async fn handle_request(&mut self, ctx: &HttpContext, mut req: Request<Body>) -> RequestOrResponse {
+    async fn handle_request(&mut self, ctx: &HttpContext, req: Request<Body>) -> RequestOrResponse {
+        let mut result = RequestOrResponse::Request(req);
+
         for handler in &self.handlers {
-            match handler.handle_request(ctx, req).await {
-                RequestOrResponse::Request(new_req) => req = new_req,
-                response => return response,
+            match result {
+                RequestOrResponse::Request(req) => {
+                    result = handler.handle_request(ctx, req).await;
+                },
+                RequestOrResponse::Response(_) => {
+                    break;
+                }
             }
         }
-        RequestOrResponse::Request(req)
+
+        result
     }
 }
 #[derive(Clone)]