feat: convert IR APIKeyAuth Credentials Map into a Slice of Struct (#7584)

* feat: convert IR APIKeyAuth Credentials Map into a Slice of Struct

Signed-off-by: Lalet Scaria <[email protected]>

* refactor: rename Credential to APIKeyCredential for clarity

Signed-off-by: Lalet Scaria <[email protected]>

Author: lalet

internal/gatewayapi/securitypolicy.go

@@ -1672,8 +1672,10 @@ func (t *Translator) buildAPIKeyAuth(
 		namespace: policy.Namespace,
 	}
 
-	credentials := make(map[string]ir.PrivateBytes)
+	expected := len(policy.Spec.APIKeyAuth.CredentialRefs)
+	apiKeyCredentials := make([]ir.APIKeyCredential, 0, expected)
 	seenKeys := make(sets.Set[string])
+	seenClients := make(sets.Set[string])
 
 	for _, ref := range policy.Spec.APIKeyAuth.CredentialRefs {
 		credentialsSecret, err := t.validateSecretRef(
@@ -1682,7 +1684,7 @@ func (t *Translator) buildAPIKeyAuth(
 			return nil, err
 		}
 		for clientid, key := range credentialsSecret.Data {
-			if _, ok := credentials[clientid]; ok {
+			if seenClients.Has(clientid) {
 				continue
 			}
 
@@ -1692,7 +1694,11 @@ func (t *Translator) buildAPIKeyAuth(
 			}
 
 			seenKeys.Insert(keyString)
-			credentials[clientid] = key
+			seenClients.Insert(clientid)
+			apiKeyCredentials = append(apiKeyCredentials, ir.APIKeyCredential{
+				Client: []byte(clientid),
+				Key:    key,
+			})
 		}
 	}
 
@@ -1706,7 +1712,7 @@ func (t *Translator) buildAPIKeyAuth(
 	}
 
 	return &ir.APIKeyAuth{
-		Credentials:           credentials,
+		Credentials:           apiKeyCredentials,
 		ExtractFrom:           extractFrom,
 		ForwardClientIDHeader: policy.Spec.APIKeyAuth.ForwardClientIDHeader,
 		Sanitize:              policy.Spec.APIKeyAuth.Sanitize,

internal/ir/xds.go

@@ -1232,13 +1232,23 @@ type BasicAuth struct {
 	ForwardUsernameHeader *string `json:"forwardUsernameHeader,omitempty" yaml:"forwardUsernameHeader,omitempty"`
 }
 
+// APIKeyCredential defines a single API key credential.
+//
+// +k8s:deepcopy-gen=true
+type APIKeyCredential struct {
+	// Client is the client ID.
+	Client PrivateBytes `json:"client" yaml:"client"`
+	// Key is the API key associated with the client.
+	Key PrivateBytes `json:"key" yaml:"key"`
+}
+
 // APIKeyAuth defines the schema for the API Key Authentication.
 //
 // +k8s:deepcopy-gen=true
 type APIKeyAuth struct {
-	// The API key to be used for authentication.
-	// Key is the client id and the value is the API key to be used for authentication.
-	Credentials map[string]PrivateBytes `json:"credentials,omitempty" yaml:"credentials,omitempty"`
+	// Credentials is the list of API key credentials.
+	// Each credential contains a client ID and the associated API key.
+	Credentials []APIKeyCredential `json:"credentials,omitempty" yaml:"credentials,omitempty"`
 
 	// ExtractFrom is where to fetch the key from the coming request.
 	// The value from the first source that has a key will be used.

internal/ir/xds_test.go

@@ -1410,7 +1410,7 @@ func TestRedaction(t *testing.T) {
 								HMACSecret:   []byte("secret"),
 							},
 							APIKeyAuth: &APIKeyAuth{
-								Credentials: map[string]PrivateBytes{"client-id": []byte("secret")},
+								Credentials: []APIKeyCredential{{Client: []byte("client-id"), Key: []byte("secret")}},
 							},
 							BasicAuth: &BasicAuth{
 								Users: []byte("secret"),
@@ -1427,7 +1427,7 @@ func TestRedaction(t *testing.T) {
 				`"routes":[{` +
 				`"name":"","hostname":"","isHTTP2":false,"security":{` +
 				`"oidc":{"name":"","provider":{"authorizationEndpoint":"","tokenEndpoint":""},"clientID":"","clientSecret":"[redacted]","hmacSecret":"[redacted]"},` +
-				`"apiKeyAuth":{"credentials":{"client-id":"[redacted]"},"extractFrom":null},` +
+				`"apiKeyAuth":{"credentials":[{"client":"[redacted]","key":"[redacted]"}],"extractFrom":null},` +
 				`"basicAuth":{"name":"","users":"[redacted]"}` +
 				`}}],` +
 				`"isHTTP2":false,"path":{"mergeSlashes":false,"escapedSlashesAction":""}}],` +

internal/ir/zz_generated.deepcopy.go

@@ -128,10 +128,10 @@ func buildAPIKeyAuthFilterConfig(apiKeyAuth *ir.APIKeyAuth) *apikeyauthv3.ApiKey
 	apiKeyAuthProto := &apikeyauthv3.ApiKeyAuth{
 		Credentials: make([]*apikeyauthv3.Credential, 0, len(apiKeyAuth.Credentials)),
 	}
-	for clientid, key := range apiKeyAuth.Credentials {
+	for _, cred := range apiKeyAuth.Credentials {
 		apiKeyAuthProto.Credentials = append(apiKeyAuthProto.Credentials, &apikeyauthv3.Credential{
-			Client: clientid,
-			Key:    string(key),
+			Client: string(cred.Client),
+			Key:    string(cred.Key),
 		})
 	}
 

internal/xds/translator/api_key_auth.go

@@ -33,7 +33,8 @@ http:
           apiKeyAuth:
             name: securitypolicy/default/policy-for-http-route-1
             credentials:
-              client-1: "a2V5MQ=="
+              - client: "Y2xpZW50LTE="
+                key: "a2V5MQ=="
             extractFrom:
               - headers: ["X-API-KEY", "X-API-KEY-2"]
             forwardClientIDHeader: "X-API-KEY-CLIENT-ID"
@@ -62,7 +63,8 @@ http:
           apiKeyAuth:
             name: securitypolicy/default/policy-for-http-route-1
             credentials:
-              client-2: "a2V5Mg=="
+              - client: "Y2xpZW50LTI="
+                key: "a2V5Mg=="
             extractFrom:
               - params: ["X-API-KEY", "X-API-KEY-2"]
       - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com
@@ -89,7 +91,8 @@ http:
           apiKeyAuth:
             name: securitypolicy/default/policy-for-http-route-1
             credentials:
-              client-3: "a2V5Mw=="
+              - client: "Y2xpZW50LTM="
+                key: "a2V5Mw=="
             extractFrom:
               - cookies: ["X-API-KEY", "X-API-KEY-2"]
       - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com
@@ -116,7 +119,8 @@ http:
           apiKeyAuth:
             name: securitypolicy/default/policy-for-http-route-1
             credentials:
-              client-3: "a2V5Mw=="
+              - client: "Y2xpZW50LTM="
+                key: "a2V5Mw=="
             extractFrom:
               # multiple kind of extractFrom with multiple values
               - cookies: ["X-API-KEY", "X-API-KEY-2"]