feat: add authz-adapter service and Envoy ext_authz integration

- Implemented authz-adapter deployment and service for Envoy gRPC authorization.
- Created PowerShell script to generate JWK for JWT authentication.
- Documented the integration of ext_authz with user-rpc.ValidateToken in ENVOY_EXT_AUTHZ_ADAPTER.md.
- Added comprehensive Envoy Gateway configuration guide with JWT authentication and access control in ENVOY_GATEWAY_GUIDE.md.

deploy/k8s/service/authz/authz-adapter.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authz-adapter
+  namespace: juwan
+  labels:
+    app: authz-adapter
+spec:
+  replicas: 2
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app: authz-adapter
+  template:
+    metadata:
+      labels:
+        app: authz-adapter
+    spec:
+      serviceAccountName: find-endpoints
+      containers:
+        - name: authz-adapter
+          image: 103.236.53.208:4418/library/authz-adapter@sha256:84dd29596f94dd38d3a7a7924f4d5ed71b661b6d2a78d65c1741b11c2d8eea98
+          ports:
+            - containerPort: 9002
+              name: grpc
+          env:
+            - name: LISTEN_ON
+              value: "0.0.0.0:9002"
+            - name: USER_RPC_TARGET
+              value: "user-rpc-svc.juwan.svc.cluster.local:9001"
+          readinessProbe:
+            tcpSocket:
+              port: 9002
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 9002
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          volumeMounts:
+            - name: timezone
+              mountPath: /etc/localtime
+      volumes:
+        - name: timezone
+          hostPath:
+            path: /usr/share/zoneinfo/Asia/Shanghai
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authz-adapter-svc
+  namespace: juwan
+spec:
+  selector:
+    app: authz-adapter
+  ports:
+    - name: grpc
+      port: 9002
+      targetPort: 9002
+  type: ClusterIP

deploy/k8s/service/user/user-api.yaml

@@ -19,7 +19,7 @@ spec:
       serviceAccountName: find-endpoints
       containers:
       - name: user-api
-        image: 103.236.53.208:4418/library/user-api@sha256:a152f5fd13fc865ae3d9aeaa54eacad6bcaa0cb4f0ccb770fbb746be95360991
+        image: 103.236.53.208:4418/library/user-api@sha256:d3187beb9c777a8dcbdc6a835a7887cb29fbea9571b08fe538a1eece403226e2
         ports:
         - containerPort: 8888
         readinessProbe:

deploy/k8s/service/user/user-rpc.yaml

@@ -29,7 +29,7 @@ spec:
             ]
       containers:
         - name: user-rpc
-          image: 103.236.53.208:4418/library/user-rpc@sha256:3d1d3cc02188a9b1a29a308a4867638b25b6e480e5a6bdaeb938f262f53969b7
+          image: 103.236.53.208:4418/library/user-rpc@sha256:28d785c4152d28b5cb368316e0fb3d48d728303e4439cdce13ebdbc5af8d19ce
           ports:
             - containerPort: 9001
             - containerPort: 4001
@@ -160,105 +160,105 @@ spec:
 #          type: Utilization
 #          averageUtilization: 80
 #---
-## Redis 主从复制
-#apiVersion: redis.redis.opstreelabs.in/v1beta2
-#kind: RedisReplication
-#metadata:
-#  name: user-redis
-#  namespace: juwan
-#spec:
-#  clusterSize: 3
-#  kubernetesConfig:
-#    image: quay.io/opstree/redis:v7.0.12
-#    imagePullPolicy: IfNotPresent
-#    resources:
-#      requests:
-#        cpu: 100m
-#        memory: 128Mi
-#      limits:
-#        cpu: 500m
-#        memory: 512Mi
-#    redisSecret:
-#      name: user-redis
-#      key: password
-#
-#  redisExporter:
-#    enabled: true
-#    image: quay.io/opstree/redis-exporter:latest
-#    imagePullPolicy: Always
-#  podSecurityContext:
-#    runAsUser: 1000
-#    fsGroup: 1000
-#  storage:
-#    volumeClaimTemplate:
-#      spec:
-#        accessModes: ["ReadWriteOnce"]
-#        resources:
-#          requests:
-#            storage: 1Gi
-#
-#---
-## Sentinel 监控
-#apiVersion: redis.redis.opstreelabs.in/v1beta2
-#kind: RedisSentinel
-#metadata:
-#  name: user-redis-sentinel
-#  namespace: juwan
-#spec:
-#  clusterSize: 3
-#  kubernetesConfig:
-#    image: quay.io/opstree/redis-sentinel:v7.0.12
-#    imagePullPolicy: IfNotPresent
-#    resources:
-#      requests:
-#        cpu: 100m
-#        memory: 128Mi
-#      limits:
-#        cpu: 500m
-#        memory: 512Mi
-#  podSecurityContext:
-#    runAsUser: 1000
-#    fsGroup: 1000
-#  redisSentinelConfig:
-#    redisReplicationName: user-redis
-#    masterGroupName: mymaster
-#    redisPort: "6379"
-#    quorum: "2"
-#    downAfterMilliseconds: "5000"
-#    failoverTimeout: "10000"
-#    parallelSyncs: "1"
-#
-#---
-## PostgreSQL 集群
-#apiVersion: postgresql.cnpg.io/v1
-#kind: Cluster
-#metadata:
-#  namespace: juwan
-#  name: user-db
-#spec:
-#  instances: 3
-#  primaryUpdateStrategy: unsupervised
-#  bootstrap:
-#    initdb:
-#      database: app
-#      owner: app
-#      # 只在 PVC 为空时初始化
-#      postInitSQL:
-#        - CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
-#  backup:
-#    barmanObjectStore:
-#      destinationPath: s3://juwan-dev-pg-backups-zj/pg-data/
-#      endpointURL: https://cn-nb1.rains3.com
-#      s3Credentials:
-#        accessKeyId:
-#          name: rc-creds
-#          key: SOucqRaJr4OyfcIu
-#        secretAccessKey:
-#          name: rc-creds
-#          key: tn2Agj9EowMwuPA9y7TdSL0AXKsMEz
-#      wal:
-#        compression: gzip
-#  storage:
-#    size: 1Gi
-#  monitoring:
-#    enablePodMonitor: true
+# Redis 主从复制
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: user-redis
+  namespace: juwan
+spec:
+  clusterSize: 3
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v7.0.12
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+    redisSecret:
+      name: user-redis
+      key: password
+
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:latest
+    imagePullPolicy: Always
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  storage:
+    volumeClaimTemplate:
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+
+---
+# Sentinel 监控
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisSentinel
+metadata:
+  name: user-redis-sentinel
+  namespace: juwan
+spec:
+  clusterSize: 3
+  kubernetesConfig:
+    image: quay.io/opstree/redis-sentinel:v7.0.12
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  redisSentinelConfig:
+    redisReplicationName: user-redis
+    masterGroupName: mymaster
+    redisPort: "6379"
+    quorum: "2"
+    downAfterMilliseconds: "5000"
+    failoverTimeout: "10000"
+    parallelSyncs: "1"
+
+---
+# PostgreSQL 集群
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  namespace: juwan
+  name: user-db
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+      # 只在 PVC 为空时初始化
+      postInitSQL:
+        - CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+  backup:
+    barmanObjectStore:
+      destinationPath: s3://juwan-dev-pg-backups-zj/pg-data/
+      endpointURL: https://cn-nb1.rains3.com
+      s3Credentials:
+        accessKeyId:
+          name: rc-creds
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: rc-creds
+          key: SECRET_ACCESS_KEY
+      wal:
+        compression: gzip
+  storage:
+    size: 1Gi
+  monitoring:
+    enablePodMonitor: true