From f56cfbbe5cd54ddb05d52b503f83b80a99e929fd Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 10:02:14 -0400 Subject: [PATCH 01/20] feat(openshift): add configuration for proxy SubjectAccessReview --- charts/cryostat/templates/openshiftOauthProxy.tpl | 6 ++++++ charts/cryostat/values.yaml | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 50f93d19..05b4d5df 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -1,3 +1,7 @@ +{{- define "subjectAccessReview" -}} +{{- $dict := dict "namespace" ( .Values.openshiftOauthProxy.access.namespace | default .Release.Namespace ) "resource" .Values.openshiftOauthProxy.access.resource "verb" .Values.openshiftOauthProxy.access.verb -}} +{{- toJson $dict -}} +{{- end -}} {{- define "openshiftOauthProxy" }} - name: {{ printf "%s-%s" .Chart.Name "authproxy" }} securityContext: @@ -16,6 +20,8 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 + # --openshift-sar='{"namespace": "{{- if .Values.openshiftOauthProxy.access.namespace -}}{{- .Values.openshiftOauthProxy.access.namespace -}}{{- else -}}{{- .Release.Namespace -}}{{- end -}}", "resource": "{{- .Values.openshiftOauthProxy.access.resource -}}", "verb": "{{- .Values.openshiftOauthProxy.access.verb -}}"}' + - --openshift-sar={{ include "subjectAccessReview" . }} {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index c05e1afa..c1491d72 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -193,6 +193,14 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" + ## @param openshiftOauthProxy.access Access control configuration for the OpenShift OAuth Proxy + access: + ## @param openshiftOauthProxy.access.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into + namespace: "" + ## @param openshiftOauthProxy.access.namespace The OpenShift resource that the SubjectAccessReview will be performed for + resource: "pods/exec" + ## @param openshiftOauthProxy.access.namespace The OpenShift resource verb that the SubjectAccessReview will be performed for + verb: "create" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation From 8572e51b56a5f5e82c0a405b9a68d904c79cdb28 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 11:20:36 -0400 Subject: [PATCH 02/20] remove commented flag, wrap SAR as array --- charts/cryostat/templates/openshiftOauthProxy.tpl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 05b4d5df..6f8ffeb0 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -20,8 +20,7 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - # --openshift-sar='{"namespace": "{{- if .Values.openshiftOauthProxy.access.namespace -}}{{- .Values.openshiftOauthProxy.access.namespace -}}{{- else -}}{{- .Release.Namespace -}}{{- end -}}", "resource": "{{- .Values.openshiftOauthProxy.access.resource -}}", "verb": "{{- .Values.openshiftOauthProxy.access.verb -}}"}' - - --openshift-sar={{ include "subjectAccessReview" . }} + - --openshift-sar=[{{ include "subjectAccessReview" . }}] {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From b76445b728f57f679c5b2e7a0cd0ef1abf8dcaa0 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 11:24:11 -0400 Subject: [PATCH 03/20] pipe full access object through toJson filter, then interpret as a template --- charts/cryostat/templates/openshiftOauthProxy.tpl | 6 +----- charts/cryostat/values.yaml | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 6f8ffeb0..34d198eb 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -1,7 +1,3 @@ -{{- define "subjectAccessReview" -}} -{{- $dict := dict "namespace" ( .Values.openshiftOauthProxy.access.namespace | default .Release.Namespace ) "resource" .Values.openshiftOauthProxy.access.resource "verb" .Values.openshiftOauthProxy.access.verb -}} -{{- toJson $dict -}} -{{- end -}} {{- define "openshiftOauthProxy" }} - name: {{ printf "%s-%s" .Chart.Name "authproxy" }} securityContext: @@ -20,7 +16,7 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - - --openshift-sar=[{{ include "subjectAccessReview" . }}] + - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.access | toJson ) . }} {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index c1491d72..26fe482d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -196,7 +196,7 @@ openshiftOauthProxy: ## @param openshiftOauthProxy.access Access control configuration for the OpenShift OAuth Proxy access: ## @param openshiftOauthProxy.access.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into - namespace: "" + namespace: "{{ .Release.Namespace }}" ## @param openshiftOauthProxy.access.namespace The OpenShift resource that the SubjectAccessReview will be performed for resource: "pods/exec" ## @param openshiftOauthProxy.access.namespace The OpenShift resource verb that the SubjectAccessReview will be performed for From aa3aca4e409a55b4f8d28e637deb370de86e3a67 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 11:25:02 -0400 Subject: [PATCH 04/20] access object becomes list --- charts/cryostat/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 26fe482d..2443cb58 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -195,12 +195,12 @@ openshiftOauthProxy: tag: "latest" ## @param openshiftOauthProxy.access Access control configuration for the OpenShift OAuth Proxy access: - ## @param openshiftOauthProxy.access.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into - namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.access.namespace The OpenShift resource that the SubjectAccessReview will be performed for - resource: "pods/exec" - ## @param openshiftOauthProxy.access.namespace The OpenShift resource verb that the SubjectAccessReview will be performed for - verb: "create" + ## @param openshiftOauthProxy.access.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into + - namespace: "{{ .Release.Namespace }}" + ## @param openshiftOauthProxy.access.namespace The OpenShift resource that the SubjectAccessReview will be performed for + resource: "pods/exec" + ## @param openshiftOauthProxy.access.namespace The OpenShift resource verb that the SubjectAccessReview will be performed for + verb: "create" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation From e3e382ba6b573a9ce29d37b714352e3cc7ac1ce9 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 12:01:09 -0400 Subject: [PATCH 05/20] add clusterrole(binding) and enable auth master delegation - enables proxy to handle requests presenting 'Authorization: Bearer' headers --- charts/cryostat/templates/clusterrole.yaml | 21 +++++++++++++++++++ .../templates/clusterrolebinding.yaml | 16 ++++++++++++++ .../templates/openshiftOauthProxy.tpl | 1 + 3 files changed, 38 insertions(+) create mode 100644 charts/cryostat/templates/clusterrole.yaml create mode 100644 charts/cryostat/templates/clusterrolebinding.yaml diff --git a/charts/cryostat/templates/clusterrole.yaml b/charts/cryostat/templates/clusterrole.yaml new file mode 100644 index 00000000..b631364f --- /dev/null +++ b/charts/cryostat/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cryostat.fullname" . }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +rules: +- apiGroups: + - "authorization.k8s.io" + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - "authentication.k8s.io" + resources: + - tokenreviews + verbs: + - create +{{- end }} diff --git a/charts/cryostat/templates/clusterrolebinding.yaml b/charts/cryostat/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..9c12569c --- /dev/null +++ b/charts/cryostat/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cryostat.fullname" . }} + labels: + {{- include "cryostat.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cryostat.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "cryostat.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 34d198eb..ee81781f 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -17,6 +17,7 @@ - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.access | toJson ) . }} + - --openshift-delegate-urls={"/":{"group":"","resource":"pods/exec","verb":"create"}} {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From fc49cfa472a322240a8cc1f76920a56a94a73aff Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 12:14:31 -0400 Subject: [PATCH 06/20] make tokenreview configurable, fix doc comments --- .../templates/openshiftOauthProxy.tpl | 4 ++-- charts/cryostat/values.yaml | 20 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index ee81781f..2ac38a37 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -16,8 +16,8 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.access | toJson ) . }} - - --openshift-delegate-urls={"/":{"group":"","resource":"pods/exec","verb":"create"}} + - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} + - --openshift-delegate-urls={"/":{{ .Values.openshiftOauthProxy.tokenReview | toJson }}} {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 2443cb58..264d9953 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -193,14 +193,24 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" - ## @param openshiftOauthProxy.access Access control configuration for the OpenShift OAuth Proxy - access: - ## @param openshiftOauthProxy.access.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into + ## @param openshiftOauthProxy.accessReview Access control configurations for the OpenShift OAuth Proxy interactive users + accessReview: + ## @param openshiftOauthProxy.accessReview.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into - namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.access.namespace The OpenShift resource that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview will be performed for + group: "" + ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview will be performed for resource: "pods/exec" - ## @param openshiftOauthProxy.access.namespace The OpenShift resource verb that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource verb that the SubjectAccessReview will be performed for verb: "create" + ## @param openshiftOauthProxy.token Access control configuration for the OpenShift OAuth Proxy programmatic clients + tokenReview: + ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for + group: "" + ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for + resource: "pods/exec" + ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource verb that the TokenReview will be performed for + verb: "create" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation From a7f4047cd742aa07e906fbda517d879cba76dc18 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 17 Apr 2024 12:16:19 -0400 Subject: [PATCH 07/20] fixup docs, regenerate readme and schema --- charts/cryostat/README.md | 19 ++++-- charts/cryostat/values.schema.json | 93 ++++++++++++++++++++++-------- charts/cryostat/values.yaml | 10 ++-- 3 files changed, 86 insertions(+), 36 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 11a4a8d3..84fee8b2 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -97,12 +97,19 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### OpenShift OAuth Proxy -| Name | Description | Value | -| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | +| `openshiftOauthProxy.accessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.accessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods/exec` | +| `openshiftOauthProxy.accessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | +| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for | `""` | +| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for | `pods/exec` | +| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource verb that the TokenReview will be performed for | `create` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index e89096a5..1b436188 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -468,6 +468,41 @@ } } }, + "authentication": { + "type": "object", + "properties": { + "openshift": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.", + "default": false + } + } + }, + "basicAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication", + "default": false + }, + "secretName": { + "type": "string", + "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**", + "default": "" + }, + "filename": { + "type": "string", + "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**", + "default": "" + } + } + } + } + }, "openshiftOauthProxy": { "type": "object", "properties": { @@ -515,39 +550,49 @@ "default": "latest" } } - } - } - }, - "authentication": { - "type": "object", - "properties": { - "openshift": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.", - "default": false + }, + "accessReview": { + "type": "array", + "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for.", + "items": { + "type": "object", + "properties": { + "namespace": { + "type": "string", + "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for." + }, + "group": { + "type": "string", + "description": "The OpenShift resource group that the SubjectAccessReview will be performed for" + }, + "resource": { + "type": "string", + "description": "The OpenShift resource that the SubjectAccessReview will be performed for" + }, + "verb": { + "type": "string", + "description": "The OpenShift resource verb that the SubjectAccessReview will be performed for" + } } } }, - "basicAuth": { + "tokenReview": { "type": "object", "properties": { - "enabled": { - "type": "boolean", - "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication", - "default": false - }, - "secretName": { + "group": { "type": "string", - "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**", + "description": "The OpenShift resource group that the TokenReview will be performed for", "default": "" }, - "filename": { + "resource": { "type": "string", - "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**", - "default": "" + "description": "The OpenShift resource that the TokenReview will be performed for", + "default": "pods/exec" + }, + "verb": { + "type": "string", + "description": "The OpenShift resource verb that the TokenReview will be performed for", + "default": "create" } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 264d9953..8f5f8890 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -193,17 +193,15 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" - ## @param openshiftOauthProxy.accessReview Access control configurations for the OpenShift OAuth Proxy interactive users accessReview: - ## @param openshiftOauthProxy.accessReview.namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. If empty, this will default to the Namespace that the chart is installed into + ## @param openshiftOauthProxy.accessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. - namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.accessReview[0].group The OpenShift resource group that the SubjectAccessReview will be performed for group: "" - ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.accessReview[0].resource The OpenShift resource that the SubjectAccessReview will be performed for resource: "pods/exec" - ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource verb that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.accessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for verb: "create" - ## @param openshiftOauthProxy.token Access control configuration for the OpenShift OAuth Proxy programmatic clients tokenReview: ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for group: "" From 58b33031320026622d3cff4b8f71a8885dbb4b16 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 18 Apr 2024 10:50:09 -0400 Subject: [PATCH 08/20] use system:auth-delegator clusterrole --- charts/cryostat/README.md | 13 ++++++------ charts/cryostat/templates/clusterrole.yaml | 21 ------------------- .../templates/clusterrolebinding.yaml | 4 ++-- charts/cryostat/values.schema.json | 10 +++++++++ charts/cryostat/values.yaml | 3 +++ 5 files changed, 22 insertions(+), 29 deletions(-) delete mode 100644 charts/cryostat/templates/clusterrole.yaml diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 84fee8b2..c88156b6 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -79,12 +79,13 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### Authentication -| Name | Description | Value | -| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` | -| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | -| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | -| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | +| Name | Description | Value | +| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` | +| `authentication.openshift.clusterRole.name` | The name of the ClusterRole to bind for the OpenShift OAuth Proxy | `system:auth-delegator` | +| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | +| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | +| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | ### OAuth2 Proxy diff --git a/charts/cryostat/templates/clusterrole.yaml b/charts/cryostat/templates/clusterrole.yaml deleted file mode 100644 index b631364f..00000000 --- a/charts/cryostat/templates/clusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "cryostat.fullname" . }} - labels: - {{- include "cryostat.labels" . | nindent 4 }} -rules: -- apiGroups: - - "authorization.k8s.io" - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "authentication.k8s.io" - resources: - - tokenreviews - verbs: - - create -{{- end }} diff --git a/charts/cryostat/templates/clusterrolebinding.yaml b/charts/cryostat/templates/clusterrolebinding.yaml index 9c12569c..4721c7c3 100644 --- a/charts/cryostat/templates/clusterrolebinding.yaml +++ b/charts/cryostat/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create -}} +{{- if and (.Values.rbac.create) (.Values.authentication.openshift.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8,7 +8,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "cryostat.fullname" . }} + name: {{ .Values.authentication.openshift.clusterRole.name }} subjects: - kind: ServiceAccount name: {{ include "cryostat.serviceAccountName" . }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 1b436188..c9dc1439 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -478,6 +478,16 @@ "type": "boolean", "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.", "default": false + }, + "clusterRole": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of the ClusterRole to bind for the OpenShift OAuth Proxy", + "default": "system:auth-delegator" + } + } } } }, diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 8f5f8890..a66901f0 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -156,6 +156,9 @@ authentication: openshift: ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. enabled: false + clusterRole: + ## @param authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy + name: system:auth-delegator basicAuth: ## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication enabled: false From d1e97111e65d9e87350a00065a04f0665e1b318a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 18 Apr 2024 10:52:06 -0400 Subject: [PATCH 09/20] document tokenreview usage --- charts/cryostat/README.md | 6 +++--- charts/cryostat/values.schema.json | 6 +++--- charts/cryostat/values.yaml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index c88156b6..5bfce93f 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -107,9 +107,9 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `openshiftOauthProxy.accessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | | `openshiftOauthProxy.accessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods/exec` | | `openshiftOauthProxy.accessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | -| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for | `""` | -| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for | `pods/exec` | -| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource verb that the TokenReview will be performed for | `create` | +| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `pods/exec` | +| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `create` | | `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index c9dc1439..3426a38e 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -591,17 +591,17 @@ "properties": { "group": { "type": "string", - "description": "The OpenShift resource group that the TokenReview will be performed for", + "description": "The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", "default": "" }, "resource": { "type": "string", - "description": "The OpenShift resource that the TokenReview will be performed for", + "description": "The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", "default": "pods/exec" }, "verb": { "type": "string", - "description": "The OpenShift resource verb that the TokenReview will be performed for", + "description": "The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", "default": "create" } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index a66901f0..1079e2ec 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -206,11 +206,11 @@ openshiftOauthProxy: ## @param openshiftOauthProxy.accessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for verb: "create" tokenReview: - ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for + ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" - ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for + ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure resource: "pods/exec" - ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource verb that the TokenReview will be performed for + ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure verb: "create" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: From 3bfd2bf164dba66675bfa356ecaef43f2c86ccad Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 18 Apr 2024 11:02:33 -0400 Subject: [PATCH 10/20] add more configuration parameters for customization --- charts/cryostat/README.md | 33 ++++--- .../templates/openshiftOauthProxy.tpl | 2 +- charts/cryostat/values.schema.json | 88 +++++++++++++------ charts/cryostat/values.yaml | 28 ++++-- 4 files changed, 102 insertions(+), 49 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 5bfce93f..256d7b32 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -98,19 +98,26 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### OpenShift OAuth Proxy -| Name | Description | Value | -| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | -| `openshiftOauthProxy.accessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.accessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.accessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods/exec` | -| `openshiftOauthProxy.accessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | -| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `pods/exec` | -| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `create` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | +| `openshiftOauthProxy.accessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.accessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods` | +| `openshiftOauthProxy.accessReview[0].subresource` | The OpenShift subresource that the SubjectAccessReview will be performed for | `exec` | +| `openshiftOauthProxy.accessReview[0].name` | The OpenShift resource name that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.accessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | +| `openshiftOauthProxy.accessReview[0].version` | The OpenShift resource version that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for. | `pods` | +| `openshiftOauthProxy.tokenReview.subresource` | The OpenShift resource that the TokenReview will be performed for. | `exec` | +| `openshiftOauthProxy.tokenReview.name` | The OpenShift resource name that the TokenReview will be performed for. | `""` | +| `openshiftOauthProxy.tokenReview.namespace` | The OpenShift namespace that the TokenReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource name that the TokenReview will be performed for. | `create` | +| `openshiftOauthProxy.tokenReview.version` | The OpenShift resource version that the TokenReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 2ac38a37..3369249d 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -17,7 +17,7 @@ - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - - --openshift-delegate-urls={"/":{{ .Values.openshiftOauthProxy.tokenReview | toJson }}} + - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}} {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 3426a38e..3d6180a2 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -516,6 +516,26 @@ "openshiftOauthProxy": { "type": "object", "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the OpenShift OAuth Proxy container image", + "default": "quay.io/openshift/origin-oauth-proxy" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the OpenShift OAuth Proxy container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the OpenShift OAuth Proxy container image", + "default": "latest" + } + } + }, "securityContext": { "type": "object", "properties": { @@ -541,36 +561,12 @@ } } }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string", - "description": "Repository for the OpenShift OAuth Proxy container image", - "default": "quay.io/openshift/origin-oauth-proxy" - }, - "pullPolicy": { - "type": "string", - "description": "Image pull policy for the OpenShift OAuth Proxy container image", - "default": "Always" - }, - "tag": { - "type": "string", - "description": "Tag for the OpenShift OAuth Proxy container image", - "default": "latest" - } - } - }, "accessReview": { "type": "array", - "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for.", + "description": "The OpenShift resource group that the SubjectAccessReview will be performed for", "items": { "type": "object", "properties": { - "namespace": { - "type": "string", - "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for." - }, "group": { "type": "string", "description": "The OpenShift resource group that the SubjectAccessReview will be performed for" @@ -579,9 +575,25 @@ "type": "string", "description": "The OpenShift resource that the SubjectAccessReview will be performed for" }, + "subresource": { + "type": "string", + "description": "The OpenShift subresource that the SubjectAccessReview will be performed for" + }, + "name": { + "type": "string", + "description": "The OpenShift resource name that the SubjectAccessReview will be performed for" + }, + "namespace": { + "type": "string", + "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for." + }, "verb": { "type": "string", "description": "The OpenShift resource verb that the SubjectAccessReview will be performed for" + }, + "version": { + "type": "string", + "description": "The OpenShift resource version that the SubjectAccessReview will be performed for" } } } @@ -596,13 +608,33 @@ }, "resource": { "type": "string", - "description": "The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", - "default": "pods/exec" + "description": "The OpenShift resource that the TokenReview will be performed for.", + "default": "pods" + }, + "subresource": { + "type": "string", + "description": "The OpenShift resource that the TokenReview will be performed for.", + "default": "exec" + }, + "name": { + "type": "string", + "description": "The OpenShift resource name that the TokenReview will be performed for.", + "default": "" + }, + "namespace": { + "type": "string", + "description": "The OpenShift namespace that the TokenReview will be performed for.", + "default": "{{ .Release.Namespace }}" }, "verb": { "type": "string", - "description": "The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", + "description": "The OpenShift resource name that the TokenReview will be performed for.", "default": "create" + }, + "version": { + "type": "string", + "description": "The OpenShift resource version that the TokenReview will be performed for.", + "default": "" } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 1079e2ec..af3492e3 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -197,21 +197,35 @@ openshiftOauthProxy: ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" accessReview: - ## @param openshiftOauthProxy.accessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. - - namespace: "{{ .Release.Namespace }}" ## @param openshiftOauthProxy.accessReview[0].group The OpenShift resource group that the SubjectAccessReview will be performed for - group: "" + - group: "" ## @param openshiftOauthProxy.accessReview[0].resource The OpenShift resource that the SubjectAccessReview will be performed for - resource: "pods/exec" + resource: "pods" + ## @param openshiftOauthProxy.accessReview[0].subresource The OpenShift subresource that the SubjectAccessReview will be performed for + subresource: "exec" + ## @param openshiftOauthProxy.accessReview[0].name The OpenShift resource name that the SubjectAccessReview will be performed for + name: "" + ## @param openshiftOauthProxy.accessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. + namespace: "{{ .Release.Namespace }}" ## @param openshiftOauthProxy.accessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for verb: "create" + ## @param openshiftOauthProxy.accessReview[0].version The OpenShift resource version that the SubjectAccessReview will be performed for + version: "" tokenReview: ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" - ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure - resource: "pods/exec" - ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource verb that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure + ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for. + resource: "pods" + ## @param openshiftOauthProxy.tokenReview.subresource The OpenShift resource that the TokenReview will be performed for. + subresource: "exec" + ## @param openshiftOauthProxy.tokenReview.name The OpenShift resource name that the TokenReview will be performed for. + name: "" + ## @param openshiftOauthProxy.tokenReview.namespace The OpenShift namespace that the TokenReview will be performed for. + namespace: "{{ .Release.Namespace }}" + ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource name that the TokenReview will be performed for. verb: "create" + ## @param openshiftOauthProxy.tokenReview.version The OpenShift resource version that the TokenReview will be performed for. + version: "" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation From 8d832915d5ddb7d84d0ea603baa351e785e32790 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 18 Apr 2024 11:05:49 -0400 Subject: [PATCH 11/20] secure /api, /grafana, storage separately rather than under / catchall --- charts/cryostat/templates/openshiftOauthProxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 3369249d..80a982d4 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -17,7 +17,7 @@ - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}} + - --openshift-delegate-urls={"/api":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/storage":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/grafana":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }} } {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From e50fcbc58f5f42d2cd153b75ed53b2bec3a47db6 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 24 Apr 2024 13:04:26 -0400 Subject: [PATCH 12/20] do not require auth on /health --- charts/cryostat/templates/openshiftOauthProxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 80a982d4..8a1ea3e6 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -17,7 +17,7 @@ - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - - --openshift-delegate-urls={"/api":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/storage":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/grafana":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }} } + - --openshift-delegate-urls={"/health":{},"/api":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/storage":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/grafana":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }} } {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From 67355b475267549915cb4e45055963e5568d151c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 26 Apr 2024 10:34:09 -0400 Subject: [PATCH 13/20] simplify config for skipping auth on /health --- charts/cryostat/templates/openshiftOauthProxy.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 8a1ea3e6..6ba88b88 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -17,7 +17,8 @@ - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - - --openshift-delegate-urls={"/health":{},"/api":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/storage":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}, "/grafana":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }} } + - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}} + - --bypass-auth-for=^/health {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From d58bee852d77bb0ad208a02af1e6a344d794bcc9 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 2 May 2024 10:18:56 -0400 Subject: [PATCH 14/20] safer health check auth bypass regex --- charts/cryostat/templates/oauth2Proxy.tpl | 3 +++ charts/cryostat/templates/openshiftOauthProxy.tpl | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/cryostat/templates/oauth2Proxy.tpl b/charts/cryostat/templates/oauth2Proxy.tpl index 67b2d7b3..bdc7571c 100644 --- a/charts/cryostat/templates/oauth2Proxy.tpl +++ b/charts/cryostat/templates/oauth2Proxy.tpl @@ -22,6 +22,9 @@ {{- if not .Values.authentication.basicAuth.enabled }} - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES value: ".*" + {{- if else }} + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health(/liveness)?$" {{- end }} ports: - containerPort: 4180 diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 6ba88b88..44350dac 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -18,7 +18,7 @@ - --proxy-prefix=/oauth2 - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}} - - --bypass-auth-for=^/health + - --bypass-auth-for=^/health(/liveness)?$ {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} {{- end }} From dd509cf89dd4a42dc3a4adbfea8a6ee58163b759 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 2 May 2024 10:24:30 -0400 Subject: [PATCH 15/20] rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview --- charts/cryostat/README.md | 40 +++++++++++++++--------------- charts/cryostat/values.schema.json | 18 +++++++------- charts/cryostat/values.yaml | 32 ++++++++++++------------ 3 files changed, 45 insertions(+), 45 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 256d7b32..78b8894a 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -98,26 +98,26 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### OpenShift OAuth Proxy -| Name | Description | Value | -| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | -| `openshiftOauthProxy.accessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.accessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods` | -| `openshiftOauthProxy.accessReview[0].subresource` | The OpenShift subresource that the SubjectAccessReview will be performed for | `exec` | -| `openshiftOauthProxy.accessReview[0].name` | The OpenShift resource name that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.accessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.accessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | -| `openshiftOauthProxy.accessReview[0].version` | The OpenShift resource version that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.tokenReview.group` | The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.tokenReview.resource` | The OpenShift resource that the TokenReview will be performed for. | `pods` | -| `openshiftOauthProxy.tokenReview.subresource` | The OpenShift resource that the TokenReview will be performed for. | `exec` | -| `openshiftOauthProxy.tokenReview.name` | The OpenShift resource name that the TokenReview will be performed for. | `""` | -| `openshiftOauthProxy.tokenReview.namespace` | The OpenShift namespace that the TokenReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.tokenReview.verb` | The OpenShift resource name that the TokenReview will be performed for. | `create` | -| `openshiftOauthProxy.tokenReview.version` | The OpenShift resource version that the TokenReview will be performed for. | `""` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | +| `openshiftOauthProxy.subjectAccessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.subjectAccessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods` | +| `openshiftOauthProxy.subjectAccessReview[0].subresource` | The OpenShift subresource that the SubjectAccessReview will be performed for | `exec` | +| `openshiftOauthProxy.subjectAccessReview[0].name` | The OpenShift resource name that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.subjectAccessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.subjectAccessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | +| `openshiftOauthProxy.subjectAccessReview[0].version` | The OpenShift resource version that the SubjectAccessReview will be performed for | `""` | +| `openshiftOauthProxy.tokenAccessReview.group` | The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.tokenAccessReview.resource` | The OpenShift resource that the TokenAccessReview will be performed for. | `pods` | +| `openshiftOauthProxy.tokenAccessReview.subresource` | The OpenShift resource that the TokenAccessReview will be performed for. | `exec` | +| `openshiftOauthProxy.tokenAccessReview.name` | The OpenShift resource name that the TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.tokenAccessReview.namespace` | The OpenShift namespace that the TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.tokenAccessReview.verb` | The OpenShift resource name that the TokenAccessReview will be performed for. | `create` | +| `openshiftOauthProxy.tokenAccessReview.version` | The OpenShift resource version that the TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 3d6180a2..dbcdf07b 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -561,7 +561,7 @@ } } }, - "accessReview": { + "subjectAccessReview": { "type": "array", "description": "The OpenShift resource group that the SubjectAccessReview will be performed for", "items": { @@ -598,42 +598,42 @@ } } }, - "tokenReview": { + "tokenAccessReview": { "type": "object", "properties": { "group": { "type": "string", - "description": "The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", + "description": "The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", "default": "" }, "resource": { "type": "string", - "description": "The OpenShift resource that the TokenReview will be performed for.", + "description": "The OpenShift resource that the TokenAccessReview will be performed for.", "default": "pods" }, "subresource": { "type": "string", - "description": "The OpenShift resource that the TokenReview will be performed for.", + "description": "The OpenShift resource that the TokenAccessReview will be performed for.", "default": "exec" }, "name": { "type": "string", - "description": "The OpenShift resource name that the TokenReview will be performed for.", + "description": "The OpenShift resource name that the TokenAccessReview will be performed for.", "default": "" }, "namespace": { "type": "string", - "description": "The OpenShift namespace that the TokenReview will be performed for.", + "description": "The OpenShift namespace that the TokenAccessReview will be performed for.", "default": "{{ .Release.Namespace }}" }, "verb": { "type": "string", - "description": "The OpenShift resource name that the TokenReview will be performed for.", + "description": "The OpenShift resource name that the TokenAccessReview will be performed for.", "default": "create" }, "version": { "type": "string", - "description": "The OpenShift resource version that the TokenReview will be performed for.", + "description": "The OpenShift resource version that the TokenAccessReview will be performed for.", "default": "" } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index af3492e3..725fc253 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -196,35 +196,35 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" - accessReview: - ## @param openshiftOauthProxy.accessReview[0].group The OpenShift resource group that the SubjectAccessReview will be performed for + subjectAccessReview: + ## @param openshiftOauthProxy.subjectAccessReview[0].group The OpenShift resource group that the SubjectAccessReview will be performed for - group: "" - ## @param openshiftOauthProxy.accessReview[0].resource The OpenShift resource that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.subjectAccessReview[0].resource The OpenShift resource that the SubjectAccessReview will be performed for resource: "pods" - ## @param openshiftOauthProxy.accessReview[0].subresource The OpenShift subresource that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.subjectAccessReview[0].subresource The OpenShift subresource that the SubjectAccessReview will be performed for subresource: "exec" - ## @param openshiftOauthProxy.accessReview[0].name The OpenShift resource name that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.subjectAccessReview[0].name The OpenShift resource name that the SubjectAccessReview will be performed for name: "" - ## @param openshiftOauthProxy.accessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. + ## @param openshiftOauthProxy.subjectAccessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.accessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.subjectAccessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for verb: "create" - ## @param openshiftOauthProxy.accessReview[0].version The OpenShift resource version that the SubjectAccessReview will be performed for + ## @param openshiftOauthProxy.subjectAccessReview[0].version The OpenShift resource version that the SubjectAccessReview will be performed for version: "" - tokenReview: - ## @param openshiftOauthProxy.tokenReview.group The OpenShift resource group that the TokenReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure + tokenAccessReview: + ## @param openshiftOauthProxy.tokenAccessReview.group The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" - ## @param openshiftOauthProxy.tokenReview.resource The OpenShift resource that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.resource The OpenShift resource that the TokenAccessReview will be performed for. resource: "pods" - ## @param openshiftOauthProxy.tokenReview.subresource The OpenShift resource that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.subresource The OpenShift resource that the TokenAccessReview will be performed for. subresource: "exec" - ## @param openshiftOauthProxy.tokenReview.name The OpenShift resource name that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.name The OpenShift resource name that the TokenAccessReview will be performed for. name: "" - ## @param openshiftOauthProxy.tokenReview.namespace The OpenShift namespace that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.namespace The OpenShift namespace that the TokenAccessReview will be performed for. namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.tokenReview.verb The OpenShift resource name that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.verb The OpenShift resource name that the TokenAccessReview will be performed for. verb: "create" - ## @param openshiftOauthProxy.tokenReview.version The OpenShift resource version that the TokenReview will be performed for. + ## @param openshiftOauthProxy.tokenAccessReview.version The OpenShift resource version that the TokenAccessReview will be performed for. version: "" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: From c84463d02ad35bf98271f5d45ca1503bc5f076ef Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 2 May 2024 10:42:16 -0400 Subject: [PATCH 16/20] fixup! rename accessReview -> subjectAccessReview, tokenReview -> tokenAccessReview --- charts/cryostat/templates/openshiftOauthProxy.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 44350dac..2cd895a1 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -16,8 +16,8 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }} - - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenReview | toJson ) . }}} + - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.subjectAccessReview | toJson ) . }} + - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenAccessReview | toJson ) . }}} - --bypass-auth-for=^/health(/liveness)?$ {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} From e18068cdc4890b69981ea4bb3d1930b239f8e941 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 3 May 2024 10:30:10 -0400 Subject: [PATCH 17/20] add JMC Agent probes bucket to precreate list --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index def3a3c7..8ca5060f 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -153,7 +153,7 @@ spec: imagePullPolicy: {{ (.Values.storage).image.pullPolicy }} env: - name: CRYOSTAT_BUCKETS - value: archivedrecordings,archivedreports,eventtemplates + value: archivedrecordings,archivedreports,eventtemplates,probes - name: CRYOSTAT_ACCESS_KEY value: cryostat - name: CRYOSTAT_SECRET_KEY From 27bf241ebc27979256fb824de81aaacea8444ae7 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 3 May 2024 14:58:49 -0400 Subject: [PATCH 18/20] fixup! safer health check auth bypass regex --- charts/cryostat/templates/oauth2Proxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/oauth2Proxy.tpl b/charts/cryostat/templates/oauth2Proxy.tpl index bdc7571c..447bb9fb 100644 --- a/charts/cryostat/templates/oauth2Proxy.tpl +++ b/charts/cryostat/templates/oauth2Proxy.tpl @@ -22,7 +22,7 @@ {{- if not .Values.authentication.basicAuth.enabled }} - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES value: ".*" - {{- if else }} + {{- else }} - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES value: "^/health(/liveness)?$" {{- end }} From 07146558a679044a09fa5f8fd9dc6dec63537847 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 22 May 2024 11:31:04 -0400 Subject: [PATCH 19/20] unify subjectaccessreview/tokenaccessreview config --- charts/cryostat/README.md | 41 ++++----- .../templates/openshiftOauthProxy.tpl | 4 +- charts/cryostat/values.schema.json | 87 ++++++------------- charts/cryostat/values.yaml | 31 ++----- 4 files changed, 56 insertions(+), 107 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 78b8894a..dacbef68 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -31,6 +31,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `core.securityContext` | Security Context for the Cryostat container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | | `core.databaseSecretName` | Name of the secret to extract password for credentials database. | `""` | + ### Database Container | Name | Description | Value | @@ -42,6 +43,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `db.resources` | Resource requests/limits for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `db.securityContext` | Security Context for the database container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Storage Container | Name | Description | Value | @@ -53,6 +55,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `storage.resources` | Resource requests/limits for the storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Grafana Container | Name | Description | Value | @@ -66,6 +69,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `grafana.resources` | Resource requests/limits for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `grafana.securityContext` | Security Context for the Grafana container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### JFR Data Source Container | Name | Description | Value | @@ -77,6 +81,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Authentication | Name | Description | Value | @@ -87,6 +92,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | | `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | + ### OAuth2 Proxy | Name | Description | Value | @@ -96,28 +102,23 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | | `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | + ### OpenShift OAuth Proxy -| Name | Description | Value | -| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | -| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | -| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | -| `openshiftOauthProxy.subjectAccessReview[0].group` | The OpenShift resource group that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.subjectAccessReview[0].resource` | The OpenShift resource that the SubjectAccessReview will be performed for | `pods` | -| `openshiftOauthProxy.subjectAccessReview[0].subresource` | The OpenShift subresource that the SubjectAccessReview will be performed for | `exec` | -| `openshiftOauthProxy.subjectAccessReview[0].name` | The OpenShift resource name that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.subjectAccessReview[0].namespace` | The OpenShift Namespace that the SubjectAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.subjectAccessReview[0].verb` | The OpenShift resource verb that the SubjectAccessReview will be performed for | `create` | -| `openshiftOauthProxy.subjectAccessReview[0].version` | The OpenShift resource version that the SubjectAccessReview will be performed for | `""` | -| `openshiftOauthProxy.tokenAccessReview.group` | The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | -| `openshiftOauthProxy.tokenAccessReview.resource` | The OpenShift resource that the TokenAccessReview will be performed for. | `pods` | -| `openshiftOauthProxy.tokenAccessReview.subresource` | The OpenShift resource that the TokenAccessReview will be performed for. | `exec` | -| `openshiftOauthProxy.tokenAccessReview.name` | The OpenShift resource name that the TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.tokenAccessReview.namespace` | The OpenShift namespace that the TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | -| `openshiftOauthProxy.tokenAccessReview.verb` | The OpenShift resource name that the TokenAccessReview will be performed for. | `create` | -| `openshiftOauthProxy.tokenAccessReview.version` | The OpenShift resource version that the TokenAccessReview will be performed for. | `""` | -| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | +| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | +| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | +| `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | +| `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | +| `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | +| `openshiftOauthProxy.accessReview.name` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.accessReview.namespace` | The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | `{{ .Release.Namespace }}` | +| `openshiftOauthProxy.accessReview.verb` | The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | `create` | +| `openshiftOauthProxy.accessReview.version` | The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | `""` | +| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | + ### Other Parameters diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 2cd895a1..0dd4d5f0 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -16,8 +16,8 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - - --openshift-sar={{ tpl ( .Values.openshiftOauthProxy.subjectAccessReview | toJson ) . }} - - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.tokenAccessReview | toJson ) . }}} + - --openshift-sar=[{{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }}] + - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }}} - --bypass-auth-for=^/health(/liveness)?$ {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index dbcdf07b..73fd2c85 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -516,26 +516,6 @@ "openshiftOauthProxy": { "type": "object", "properties": { - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string", - "description": "Repository for the OpenShift OAuth Proxy container image", - "default": "quay.io/openshift/origin-oauth-proxy" - }, - "pullPolicy": { - "type": "string", - "description": "Image pull policy for the OpenShift OAuth Proxy container image", - "default": "Always" - }, - "tag": { - "type": "string", - "description": "Tag for the OpenShift OAuth Proxy container image", - "default": "latest" - } - } - }, "securityContext": { "type": "object", "properties": { @@ -561,79 +541,62 @@ } } }, - "subjectAccessReview": { - "type": "array", - "description": "The OpenShift resource group that the SubjectAccessReview will be performed for", - "items": { - "type": "object", - "properties": { - "group": { - "type": "string", - "description": "The OpenShift resource group that the SubjectAccessReview will be performed for" - }, - "resource": { - "type": "string", - "description": "The OpenShift resource that the SubjectAccessReview will be performed for" - }, - "subresource": { - "type": "string", - "description": "The OpenShift subresource that the SubjectAccessReview will be performed for" - }, - "name": { - "type": "string", - "description": "The OpenShift resource name that the SubjectAccessReview will be performed for" - }, - "namespace": { - "type": "string", - "description": "The OpenShift Namespace that the SubjectAccessReview will be performed for." - }, - "verb": { - "type": "string", - "description": "The OpenShift resource verb that the SubjectAccessReview will be performed for" - }, - "version": { - "type": "string", - "description": "The OpenShift resource version that the SubjectAccessReview will be performed for" - } + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the OpenShift OAuth Proxy container image", + "default": "quay.io/openshift/origin-oauth-proxy" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the OpenShift OAuth Proxy container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the OpenShift OAuth Proxy container image", + "default": "latest" } } }, - "tokenAccessReview": { + "accessReview": { "type": "object", "properties": { "group": { "type": "string", - "description": "The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", + "description": "The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", "default": "" }, "resource": { "type": "string", - "description": "The OpenShift resource that the TokenAccessReview will be performed for.", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "pods" }, "subresource": { "type": "string", - "description": "The OpenShift resource that the TokenAccessReview will be performed for.", + "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "exec" }, "name": { "type": "string", - "description": "The OpenShift resource name that the TokenAccessReview will be performed for.", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "" }, "namespace": { "type": "string", - "description": "The OpenShift namespace that the TokenAccessReview will be performed for.", + "description": "The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "{{ .Release.Namespace }}" }, "verb": { "type": "string", - "description": "The OpenShift resource name that the TokenAccessReview will be performed for.", + "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "create" }, "version": { "type": "string", - "description": "The OpenShift resource version that the TokenAccessReview will be performed for.", + "description": "The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for.", "default": "" } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 725fc253..fc5a7192 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -196,35 +196,20 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" - subjectAccessReview: - ## @param openshiftOauthProxy.subjectAccessReview[0].group The OpenShift resource group that the SubjectAccessReview will be performed for - - group: "" - ## @param openshiftOauthProxy.subjectAccessReview[0].resource The OpenShift resource that the SubjectAccessReview will be performed for - resource: "pods" - ## @param openshiftOauthProxy.subjectAccessReview[0].subresource The OpenShift subresource that the SubjectAccessReview will be performed for - subresource: "exec" - ## @param openshiftOauthProxy.subjectAccessReview[0].name The OpenShift resource name that the SubjectAccessReview will be performed for - name: "" - ## @param openshiftOauthProxy.subjectAccessReview[0].namespace The OpenShift Namespace that the SubjectAccessReview will be performed for. - namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.subjectAccessReview[0].verb The OpenShift resource verb that the SubjectAccessReview will be performed for - verb: "create" - ## @param openshiftOauthProxy.subjectAccessReview[0].version The OpenShift resource version that the SubjectAccessReview will be performed for - version: "" - tokenAccessReview: - ## @param openshiftOauthProxy.tokenAccessReview.group The OpenShift resource group that the TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure + accessReview: + ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" - ## @param openshiftOauthProxy.tokenAccessReview.resource The OpenShift resource that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. resource: "pods" - ## @param openshiftOauthProxy.tokenAccessReview.subresource The OpenShift resource that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. subresource: "exec" - ## @param openshiftOauthProxy.tokenAccessReview.name The OpenShift resource name that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. name: "" - ## @param openshiftOauthProxy.tokenAccessReview.namespace The OpenShift namespace that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. namespace: "{{ .Release.Namespace }}" - ## @param openshiftOauthProxy.tokenAccessReview.verb The OpenShift resource name that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. verb: "create" - ## @param openshiftOauthProxy.tokenAccessReview.version The OpenShift resource version that the TokenAccessReview will be performed for. + ## @param openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. version: "" ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: From ce7aec0d4632263f6712e2551ba71073ac0206b2 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 29 May 2024 11:00:57 -0400 Subject: [PATCH 20/20] accessreview can be disabled --- charts/cryostat/README.md | 1 + charts/cryostat/templates/openshiftOauthProxy.tpl | 6 ++++-- charts/cryostat/values.schema.json | 5 +++++ charts/cryostat/values.yaml | 2 ++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index dacbef68..e44b46e9 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -110,6 +110,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` | | `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | | `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` | +| `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | | `openshiftOauthProxy.accessReview.group` | The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | `""` | | `openshiftOauthProxy.accessReview.resource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `pods` | | `openshiftOauthProxy.accessReview.subresource` | The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | `exec` | diff --git a/charts/cryostat/templates/openshiftOauthProxy.tpl b/charts/cryostat/templates/openshiftOauthProxy.tpl index 0dd4d5f0..0c045cb5 100644 --- a/charts/cryostat/templates/openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/openshiftOauthProxy.tpl @@ -16,8 +16,10 @@ - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - - --openshift-sar=[{{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }}] - - --openshift-delegate-urls={"/":{{ tpl ( .Values.openshiftOauthProxy.accessReview | toJson ) . }}} + {{- if .Values.openshiftOauthProxy.accessReview.enabled }} + - --openshift-sar=[{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}] + - --openshift-delegate-urls={"/":{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}} + {{- end }} - --bypass-auth-for=^/health(/liveness)?$ {{- if .Values.authentication.basicAuth.enabled }} - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 73fd2c85..8a27e985 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -564,6 +564,11 @@ "accessReview": { "type": "object", "properties": { + "enabled": { + "type": "boolean", + "description": "Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.", + "default": true + }, "group": { "type": "string", "description": "The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index fc5a7192..493d00f7 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -197,6 +197,8 @@ openshiftOauthProxy: ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "latest" accessReview: + ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. + enabled: true ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure group: "" ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.