feat(openshift): add configuration for proxy SubjectAccessReview

charts/cryostat/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and (.Values.rbac.create) (.Values.authentication.openshift.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cryostat.fullname" . }}
+  labels:
+    {{- include "cryostat.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.authentication.openshift.clusterRole.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cryostat.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/cryostat/templates/deployment.yaml

@@ -153,7 +153,7 @@ spec:
           imagePullPolicy: {{ (.Values.storage).image.pullPolicy }}
           env:
           - name: CRYOSTAT_BUCKETS
-            value: archivedrecordings,archivedreports,eventtemplates
+            value: archivedrecordings,archivedreports,eventtemplates,probes
           - name: CRYOSTAT_ACCESS_KEY
             value: cryostat
           - name: CRYOSTAT_SECRET_KEY

charts/cryostat/templates/oauth2Proxy.tpl

@@ -22,6 +22,9 @@
     {{- if not .Values.authentication.basicAuth.enabled }}
     - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
       value: ".*"
+    {{- else }}
+    - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
+      value: "^/health(/liveness)?$"
     {{- end }}
   ports:
     - containerPort: 4180

charts/cryostat/templates/openshiftOauthProxy.tpl

@@ -16,6 +16,11 @@
     - --tls-cert=/etc/tls/private/tls.crt
     - --tls-key=/etc/tls/private/tls.key
     - --proxy-prefix=/oauth2
+    {{- if .Values.openshiftOauthProxy.accessReview.enabled }}
+    - --openshift-sar=[{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}]
+    - --openshift-delegate-urls={"/":{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}}
+    {{- end }}
+    - --bypass-auth-for=^/health(/liveness)?$
     {{- if .Values.authentication.basicAuth.enabled }}
     - --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
     {{- end }}

charts/cryostat/values.schema.json

@@ -468,6 +468,51 @@
                 }
             }
         },
+        "authentication": {
+            "type": "object",
+            "properties": {
+                "openshift": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.",
+                            "default": false
+                        },
+                        "clusterRole": {
+                            "type": "object",
+                            "properties": {
+                                "name": {
+                                    "type": "string",
+                                    "description": "The name of the ClusterRole to bind for the OpenShift OAuth Proxy",
+                                    "default": "system:auth-delegator"
+                                }
+                            }
+                        }
+                    }
+                },
+                "basicAuth": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication",
+                            "default": false
+                        },
+                        "secretName": {
+                            "type": "string",
+                            "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**",
+                            "default": ""
+                        },
+                        "filename": {
+                            "type": "string",
+                            "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**",
+                            "default": ""
+                        }
+                    }
+                }
+            }
+        },
         "openshiftOauthProxy": {
             "type": "object",
             "properties": {
@@ -515,38 +560,48 @@
                             "default": "latest"
                         }
                     }
-                }
-            }
-        },
-        "authentication": {
-            "type": "object",
-            "properties": {
-                "openshift": {
-                    "type": "object",
-                    "properties": {
-                        "enabled": {
-                            "type": "boolean",
-                            "description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.",
-                            "default": false
-                        }
-                    }
                 },
-                "basicAuth": {
+                "accessReview": {
                     "type": "object",
                     "properties": {
                         "enabled": {
                             "type": "boolean",
-                            "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication",
-                            "default": false
+                            "description": "Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.",
+                            "default": true
                         },
-                        "secretName": {
+                        "group": {
                             "type": "string",
-                            "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**",
+                            "description": "The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure",
                             "default": ""
                         },
-                        "filename": {
+                        "resource": {
                             "type": "string",
-                            "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**",
+                            "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.",
+                            "default": "pods"
+                        },
+                        "subresource": {
+                            "type": "string",
+                            "description": "The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.",
+                            "default": "exec"
+                        },
+                        "name": {
+                            "type": "string",
+                            "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.",
+                            "default": ""
+                        },
+                        "namespace": {
+                            "type": "string",
+                            "description": "The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for.",
+                            "default": "{{ .Release.Namespace }}"
+                        },
+                        "verb": {
+                            "type": "string",
+                            "description": "The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.",
+                            "default": "create"
+                        },
+                        "version": {
+                            "type": "string",
+                            "description": "The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for.",
                             "default": ""
                         }
                     }

charts/cryostat/values.yaml

@@ -156,6 +156,9 @@ authentication:
   openshift:
     ## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.
     enabled: false
+    clusterRole:
+      ## @param authentication.openshift.clusterRole.name The name of the ClusterRole to bind for the OpenShift OAuth Proxy
+      name: system:auth-delegator
   basicAuth:
     ## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication
     enabled: false
@@ -193,6 +196,23 @@ openshiftOauthProxy:
     pullPolicy: Always
     ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image
     tag: "latest"
+  accessReview:
+    ## @param openshiftOauthProxy.accessReview.enabled Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token.
+    enabled: true
+    ## @param openshiftOauthProxy.accessReview.group The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure
+    group: ""
+    ## @param openshiftOauthProxy.accessReview.resource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.
+    resource: "pods"
+    ## @param openshiftOauthProxy.accessReview.subresource The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for.
+    subresource: "exec"
+    ## @param openshiftOauthProxy.accessReview.name The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.
+    name: ""
+    ## @param openshiftOauthProxy.accessReview.namespace The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for.
+    namespace: "{{ .Release.Namespace }}"
+    ## @param openshiftOauthProxy.accessReview.verb The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for.
+    verb: "create"
+    ## @param openshiftOauthProxy.accessReview.version The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for.
+    version: ""
   ## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
   securityContext:
     ## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation