refactor: appended default key selector only when list is not defined

Signed-off-by: KevFan <[email protected]>

api/v1beta3/auth_config_types.go

@@ -357,7 +357,7 @@ type ApiKeyAuthenticationSpec struct {
 	AllNamespaces bool `json:"allNamespaces,omitempty"`
 
 	// List of keys within the selected Kubernetes secret that contain valid API credentials.
-	// Authorino will attempt to authenticate using any matching key, including "api-key".
+	// Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api-key" will be used.
 	// If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
 	// +optional
 	KeySelectors []string `json:"keySelectors,omitempty"`

install/crd/authorino.kuadrant.io_authconfigs.yaml

@@ -2396,7 +2396,7 @@ spec:
                         keySelectors:
                           description: |-
                             List of keys within the selected Kubernetes secret that contain valid API credentials.
-                            Authorino will attempt to authenticate using any matching key, including "api-key".
+                            Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api-key" will be used.
                             If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
                           items:
                             type: string

install/manifests.yaml

@@ -2663,7 +2663,7 @@ spec:
                         keySelectors:
                           description: |-
                             List of keys within the selected Kubernetes secret that contain valid API credentials.
-                            Authorino will attempt to authenticate using any matching key, including "api-key".
+                            Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api-key" will be used.
                             If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
                           items:
                             type: string

pkg/evaluators/identity/api_key.go

@@ -37,12 +37,15 @@ type APIKey struct {
 }
 
 func NewApiKeyIdentity(name string, labelSelectors k8s_labels.Selector, namespace string, keySelectors []string, authCred auth.AuthCredentials, k8sClient k8s_client.Reader, ctx context.Context) *APIKey {
+	if len(keySelectors) == 0 {
+		keySelectors = append(keySelectors, defaultAPIKeySelector)
+	}
 	apiKey := &APIKey{
 		AuthCredentials: authCred,
 		Name:            name,
 		LabelSelectors:  labelSelectors,
 		Namespace:       namespace,
-		KeySelectors:    append(keySelectors, defaultAPIKeySelector),
+		KeySelectors:    keySelectors,
 		secrets:         make(map[string]k8s.Secret),
 		k8sClient:       k8sClient,
 	}

pkg/evaluators/identity/api_key_test.go

@@ -79,13 +79,12 @@ func TestNewApiKeyIdentityMultipleKeySelectors(t *testing.T) {
 	assert.Equal(t, apiKey.Name, "jedi")
 	assert.Equal(t, apiKey.LabelSelectors.String(), "planet=coruscant")
 	assert.Equal(t, apiKey.Namespace, "ns1")
-	assert.Equal(t, len(apiKey.KeySelectors), 3)
+	assert.Equal(t, len(apiKey.KeySelectors), 2)
 	assert.Equal(t, apiKey.KeySelectors[0], "no_op")
 	assert.Equal(t, apiKey.KeySelectors[1], "api_key_2")
-	assert.Equal(t, apiKey.KeySelectors[2], defaultAPIKeySelector)
-	assert.Equal(t, len(apiKey.secrets), 2)
+	assert.Equal(t, len(apiKey.secrets), 1)
 	_, exists := apiKey.secrets["ObiWanKenobiLightSaber"]
-	assert.Check(t, exists)
+	assert.Check(t, !exists)
 	_, exists = apiKey.secrets["TeraSinubeLightSaber"]
 	assert.Check(t, exists)
 	_, exists = apiKey.secrets["MasterYodaLightSaber"]