Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth): optionally deploy OpenShift OAuth Proxy #127

Merged
merged 8 commits into from
Apr 10, 2024
Merged

feat(auth): optionally deploy OpenShift OAuth Proxy #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2ae80b4
extract oauth2Proxy container to template
andrewazores Mar 18, 2024
f49678e
update values, schema, and readme for OpenShift OAuth Proxy
andrewazores Mar 18, 2024
1259d46
optionally deploy OpenShift OAuth Proxy
andrewazores Mar 18, 2024
42caed4
load correct mounted secret file for htpasswd basic auth
andrewazores Mar 18, 2024
bddfc82
show provider button if user can auth via OpenShift or basic auth. if…
andrewazores Mar 18, 2024
705c696
disable request logging - somehow, it breaks websocket connections
andrewazores Mar 18, 2024
6f3c1f5
typo
andrewazores Apr 9, 2024
4480669
update file permissions
andrewazores Apr 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions charts/cryostat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op

| Name | Description | Value |
| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` |
| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` |
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` |
Expand All @@ -102,6 +103,16 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### OpenShift OAuth Proxy

| Name | Description | Value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` |
| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` |
| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` |
| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Other Parameters

| Name | Description | Value |
Expand Down
46 changes: 11 additions & 35 deletions charts/cryostat/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,41 +30,11 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
args:
- "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: {{ include "cryostat.cookieSecret" . }}
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
{{- if .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
{{- if not .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ".*"
{{- end }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
- name: alpha-config
mountPath: /etc/oauth2_proxy/alpha_config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- end }}
{{- if .Values.authentication.openshift.enabled }}
{{- include "openshiftOauthProxy" . | nindent 8 }}
{{- else }}
{{- include "oauth2Proxy" . | nindent 8 }}
{{- end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.core.securityContext | nindent 12 }}
Expand Down Expand Up @@ -300,5 +270,11 @@ spec:
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
secret:
defaultMode: 0440
secretName: {{ .Values.authentication.basicAuth.secretName }}
{{- end }}
{{- if .Values.authentication.openshift.enabled }}
- name: {{ .Release.Name }}-proxy-tls
secret:
secretName: {{ .Release.Name }}-proxy-tls
{{- end }}
37 changes: 37 additions & 0 deletions charts/cryostat/templates/oauth2Proxy.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{{- define "oauth2Proxy" }}
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
args:
- "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: {{ include "cryostat.cookieSecret" . }}
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
{{- if .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
{{- if not .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ".*"
{{- end }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
- name: alpha-config
mountPath: /etc/oauth2_proxy/alpha_config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- end }}
{{- end}}
36 changes: 36 additions & 0 deletions charts/cryostat/templates/openshiftOauthProxy.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{{- define "openshiftOauthProxy" }}
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 12 }}
image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}"
args:
- --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }}
- --upstream=http://localhost:8181/
- --upstream=http://localhost:3000/grafana/
- --upstream=http://localhost:8333/storage/
- --cookie-secret={{ include "cryostat.cookieSecret" . }}
- --openshift-service-account={{ include "cryostat.serviceAccountName" . }}
- --proxy-websockets=true
- --http-address=0.0.0.0:4180
- --https-address=:8443
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
{{- if .Values.authentication.basicAuth.enabled }}
- --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/openshift_oauth_proxy/basicauth
readOnly: true
{{- end }}
- name: {{ .Release.Name }}-proxy-tls
mountPath: /etc/tls/private
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
{{- end}}
8 changes: 8 additions & 0 deletions charts/cryostat/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,21 @@ metadata:
name: {{ $fullName }}
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
{{- if .Values.authentication.openshift.enabled }}
annotations:
service.alpha.openshift.io/serving-cert-secret-name: {{ .Release.Name }}-proxy-tls
{{- end }}
spec:
type: {{ .Values.core.service.type }}
ports:
- port: {{ .Values.core.service.httpPort }}
targetPort: 4180
protocol: TCP
name: cryostat-http
- port: 443
targetPort: 8443
protocol: TCP
name: cryostat-https
- port: {{ .Values.core.service.jmxPort }}
targetPort: 9091
protocol: TCP
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.core.route.enabled -}}
{{- if .Values.authentication.openshift.enabled -}}
{{- $fullName := include "cryostat.fullname" . -}}
{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}}
{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}}
Expand Down
60 changes: 60 additions & 0 deletions charts/cryostat/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,9 +473,69 @@
}
}
},
"openshiftOauthProxy": {
"type": "object",
"properties": {
"securityContext": {
"type": "object",
"properties": {
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"description": "",
"default": [
"ALL"
],
"items": {
"type": "string"
}
}
}
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "",
"default": false
}
}
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"description": "Repository for the OpenShift OAuth Proxy container image",
"default": "quay.io/openshift/origin-oauth-proxy"
},
"pullPolicy": {
"type": "string",
"description": "Image pull policy for the OpenShift OAuth Proxy container image",
"default": "Always"
},
"tag": {
"type": "string",
"description": "Tag for the OpenShift OAuth Proxy container image",
"default": "latest"
}
}
}
}
},
"authentication": {
"type": "object",
"properties": {
"openshift": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.",
"default": false
}
}
},
"basicAuth": {
"type": "object",
"properties": {
Expand Down
22 changes: 22 additions & 0 deletions charts/cryostat/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ datasource:
## @section Authentication

authentication:
openshift:
## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.
enabled: false
basicAuth:
## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication
enabled: false
Expand Down Expand Up @@ -182,6 +185,25 @@ oauth2Proxy:
drop:
- ALL

## @section OpenShift OAuth Proxy

openshiftOauthProxy:
image:
## @param openshiftOauthProxy.image.repository Repository for the OpenShift OAuth Proxy container image
repository: "quay.io/openshift/origin-oauth-proxy"
## @param openshiftOauthProxy.image.pullPolicy Image pull policy for the OpenShift OAuth Proxy container image
pullPolicy: Always
## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image
tag: "latest"
## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
securityContext:
## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation
allowPrivilegeEscalation: false
## @skip openshiftOauthProxy.securityContext.capabilities
capabilities:
drop:
- ALL

## @section Other Parameters

## @param imagePullSecrets [array] Image pull secrets to be used for the Cryostat deployment
Expand Down