Skip to content

Commit

Permalink
feat(auth): optionally deploy OpenShift OAuth Proxy (#127)
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewazores
andrewazores authored Apr 10, 2024
1 parent 09b12e0 commit 76a89b1
Show file tree
Hide file tree
Showing 8 changed files with 186 additions and 36 deletions.
11 changes: 11 additions & 0 deletions charts/cryostat/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op

| Name | Description | Value |
| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `authentication.openshift.enabled` | Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | `false` |
| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` |
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` |
Expand All @@ -102,6 +103,16 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### OpenShift OAuth Proxy

| Name | Description | Value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/openshift/origin-oauth-proxy` |
| `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` |
| `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `latest` |
| `openshiftOauthProxy.securityContext` | Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Other Parameters

| Name | Description | Value |
Expand Down
46 changes: 11 additions & 35 deletions charts/cryostat/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,41 +30,11 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
args:
- "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: {{ include "cryostat.cookieSecret" . }}
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
{{- if .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
{{- if not .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ".*"
{{- end }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
- name: alpha-config
mountPath: /etc/oauth2_proxy/alpha_config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- end }}
{{- if .Values.authentication.openshift.enabled }}
{{- include "openshiftOauthProxy" . | nindent 8 }}
{{- else }}
{{- include "oauth2Proxy" . | nindent 8 }}
{{- end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.core.securityContext | nindent 12 }}
Expand Down Expand Up @@ -300,5 +270,11 @@ spec:
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
secret:
defaultMode: 0440
secretName: {{ .Values.authentication.basicAuth.secretName }}
{{- end }}
{{- if .Values.authentication.openshift.enabled }}
- name: {{ .Release.Name }}-proxy-tls
secret:
secretName: {{ .Release.Name }}-proxy-tls
{{- end }}
37 changes: 37 additions & 0 deletions charts/cryostat/templates/oauth2Proxy.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{{- define "oauth2Proxy" }}
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
args:
- "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: {{ include "cryostat.cookieSecret" . }}
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
{{- if .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
{{- if not .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ".*"
{{- end }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
- name: alpha-config
mountPath: /etc/oauth2_proxy/alpha_config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- end }}
{{- end}}
36 changes: 36 additions & 0 deletions charts/cryostat/templates/openshiftOauthProxy.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{{- define "openshiftOauthProxy" }}
- name: {{ printf "%s-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 12 }}
image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}"
args:
- --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }}
- --upstream=http://localhost:8181/
- --upstream=http://localhost:3000/grafana/
- --upstream=http://localhost:8333/storage/
- --cookie-secret={{ include "cryostat.cookieSecret" . }}
- --openshift-service-account={{ include "cryostat.serviceAccountName" . }}
- --proxy-websockets=true
- --http-address=0.0.0.0:4180
- --https-address=:8443
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
{{- if .Values.authentication.basicAuth.enabled }}
- --htpasswd-file=/etc/openshift_oauth_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }}
ports:
- containerPort: 4180
protocol: TCP
volumeMounts:
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/openshift_oauth_proxy/basicauth
readOnly: true
{{- end }}
- name: {{ .Release.Name }}-proxy-tls
mountPath: /etc/tls/private
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
{{- end}}
8 changes: 8 additions & 0 deletions charts/cryostat/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,21 @@ metadata:
name: {{ $fullName }}
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
{{- if .Values.authentication.openshift.enabled }}
annotations:
service.alpha.openshift.io/serving-cert-secret-name: {{ .Release.Name }}-proxy-tls
{{- end }}
spec:
type: {{ .Values.core.service.type }}
ports:
- port: {{ .Values.core.service.httpPort }}
targetPort: 4180
protocol: TCP
name: cryostat-http
- port: 443
targetPort: 8443
protocol: TCP
name: cryostat-https
- port: {{ .Values.core.service.jmxPort }}
targetPort: 9091
protocol: TCP
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.core.route.enabled -}}
{{- if .Values.authentication.openshift.enabled -}}
{{- $fullName := include "cryostat.fullname" . -}}
{{- $redirectAnnotations := dict "serviceaccounts.openshift.io/oauth-redirectreference.primary" (printf "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"%s\"}}" $fullName) -}}
{{- $_ := merge .Values.serviceAccount.annotations $redirectAnnotations -}}
Expand Down
60 changes: 60 additions & 0 deletions charts/cryostat/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,9 +473,69 @@
}
}
},
"openshiftOauthProxy": {
"type": "object",
"properties": {
"securityContext": {
"type": "object",
"properties": {
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"description": "",
"default": [
"ALL"
],
"items": {
"type": "string"
}
}
}
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "",
"default": false
}
}
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"description": "Repository for the OpenShift OAuth Proxy container image",
"default": "quay.io/openshift/origin-oauth-proxy"
},
"pullPolicy": {
"type": "string",
"description": "Image pull policy for the OpenShift OAuth Proxy container image",
"default": "Always"
},
"tag": {
"type": "string",
"description": "Tag for the OpenShift OAuth Proxy container image",
"default": "latest"
}
}
}
}
},
"authentication": {
"type": "object",
"properties": {
"openshift": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.",
"default": false
}
}
},
"basicAuth": {
"type": "object",
"properties": {
Expand Down
22 changes: 22 additions & 0 deletions charts/cryostat/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ datasource:
## @section Authentication

authentication:
openshift:
## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.
enabled: false
basicAuth:
## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication
enabled: false
Expand Down Expand Up @@ -182,6 +185,25 @@ oauth2Proxy:
drop:
- ALL

## @section OpenShift OAuth Proxy

openshiftOauthProxy:
image:
## @param openshiftOauthProxy.image.repository Repository for the OpenShift OAuth Proxy container image
repository: "quay.io/openshift/origin-oauth-proxy"
## @param openshiftOauthProxy.image.pullPolicy Image pull policy for the OpenShift OAuth Proxy container image
pullPolicy: Always
## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image
tag: "latest"
## @param openshiftOauthProxy.securityContext [object] Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
securityContext:
## @skip openshiftOauthProxy.securityContext.allowPrivilegeEscalation
allowPrivilegeEscalation: false
## @skip openshiftOauthProxy.securityContext.capabilities
capabilities:
drop:
- ALL

## @section Other Parameters

## @param imagePullSecrets [array] Image pull secrets to be used for the Cryostat deployment
Expand Down

0 comments on commit 76a89b1

Please sign in to comment.