From ece316618a93effd7ee38d6e2ba7327615e013d2 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 18 Jan 2024 15:56:09 -0500 Subject: [PATCH 01/25] added auth2-proxy and put storage behind auth2-proxy --- charts/cryostat/templates/auth_proxy.yaml | 30 +++++++++++++++++++ .../templates/auth_proxy_alpha_config.yaml | 17 +++++++++++ charts/cryostat/templates/auth_proxy_htpasswd | 1 + 3 files changed, 48 insertions(+) create mode 100644 charts/cryostat/templates/auth_proxy.yaml create mode 100644 charts/cryostat/templates/auth_proxy_alpha_config.yaml create mode 100644 charts/cryostat/templates/auth_proxy_htpasswd diff --git a/charts/cryostat/templates/auth_proxy.yaml b/charts/cryostat/templates/auth_proxy.yaml new file mode 100644 index 00000000..e66a83bd --- /dev/null +++ b/charts/cryostat/templates/auth_proxy.yaml @@ -0,0 +1,30 @@ +version: "3" +services: + auth: + depends_on: + cryostat: + condition: service_healthy + deploy: + resources: + limits: + cpus: "0.1" + memory: 1024M + image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest} + command: --alpha-config=./auth_proxy_alpha_config.yaml + ports: + - "8080:8080" + hostname: auth + labels: + kompose.service.expose: "auth" + environment: + OAUTH2_PROXY_HTPASSWD_FILE: ./auth_proxy_htpasswd + OAUTH2_PROXY_HTPASSWD_USER_GROUP: write + OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback + OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ + restart: unless-stopped + healthcheck: + test: wget -q --spider http://localhost:8080/ping || exit 1 + interval: 10s + retries: 3 + start_period: 30s + timeout: 5s diff --git a/charts/cryostat/templates/auth_proxy_alpha_config.yaml b/charts/cryostat/templates/auth_proxy_alpha_config.yaml new file mode 100644 index 00000000..62f78697 --- /dev/null +++ b/charts/cryostat/templates/auth_proxy_alpha_config.yaml @@ -0,0 +1,17 @@ +server: + BindAddress: http://0.0.0.0:8080 +upstreamConfig: + proxyRawPath: true + upstreams: + - id: storage + path: ^/storage/(.*)$ + rewriteTarget: /$1 + uri: http://s3:${STORAGE_PORT} + passHostHeader: false + proxyWebSockets: false +providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google diff --git a/charts/cryostat/templates/auth_proxy_htpasswd b/charts/cryostat/templates/auth_proxy_htpasswd new file mode 100644 index 00000000..12d0a5ff --- /dev/null +++ b/charts/cryostat/templates/auth_proxy_htpasswd @@ -0,0 +1 @@ +user:$apr1$XXso02zP$SMduzjhNkMVNp2CgTDSND1 From c7be386e22781c940239b5495dd2b9b190d0d374 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 18 Jan 2024 16:15:12 -0500 Subject: [PATCH 02/25] added auth2-proxy --- charts/cryostat/templates/auth_proxy.yaml | 10 ---------- .../templates/auth_proxy_alpha_config.yaml | 17 ----------------- 2 files changed, 27 deletions(-) delete mode 100644 charts/cryostat/templates/auth_proxy_alpha_config.yaml diff --git a/charts/cryostat/templates/auth_proxy.yaml b/charts/cryostat/templates/auth_proxy.yaml index e66a83bd..34f018dc 100644 --- a/charts/cryostat/templates/auth_proxy.yaml +++ b/charts/cryostat/templates/auth_proxy.yaml @@ -18,13 +18,3 @@ services: kompose.service.expose: "auth" environment: OAUTH2_PROXY_HTPASSWD_FILE: ./auth_proxy_htpasswd - OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback - OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ - restart: unless-stopped - healthcheck: - test: wget -q --spider http://localhost:8080/ping || exit 1 - interval: 10s - retries: 3 - start_period: 30s - timeout: 5s diff --git a/charts/cryostat/templates/auth_proxy_alpha_config.yaml b/charts/cryostat/templates/auth_proxy_alpha_config.yaml deleted file mode 100644 index 62f78697..00000000 --- a/charts/cryostat/templates/auth_proxy_alpha_config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -server: - BindAddress: http://0.0.0.0:8080 -upstreamConfig: - proxyRawPath: true - upstreams: - - id: storage - path: ^/storage/(.*)$ - rewriteTarget: /$1 - uri: http://s3:${STORAGE_PORT} - passHostHeader: false - proxyWebSockets: false -providers: - - id: dummy - name: Unused - Sign In Below - clientId: CLIENT_ID - clientSecret: CLIENT_SECRET - provider: google From 73514b42e377399c018e85484294565cf134fab7 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 18 Jan 2024 16:21:08 -0500 Subject: [PATCH 03/25] removed command:alpha --- charts/cryostat/templates/auth_proxy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/cryostat/templates/auth_proxy.yaml b/charts/cryostat/templates/auth_proxy.yaml index 34f018dc..3abe7558 100644 --- a/charts/cryostat/templates/auth_proxy.yaml +++ b/charts/cryostat/templates/auth_proxy.yaml @@ -10,7 +10,6 @@ services: cpus: "0.1" memory: 1024M image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest} - command: --alpha-config=./auth_proxy_alpha_config.yaml ports: - "8080:8080" hostname: auth From f1cc80987e4f656ce6f172e26e0a467305d3705b Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Mon, 22 Jan 2024 14:25:57 -0500 Subject: [PATCH 04/25] re-implement --- charts/cryostat/templates/auth2_proxy.yaml | 6 ++++++ charts/cryostat/templates/auth_proxy.yaml | 19 ------------------- charts/cryostat/templates/auth_proxy_htpasswd | 2 +- charts/cryostat/templates/deployment.yaml | 13 +++++++++++++ charts/cryostat/values.yaml | 16 +++++++++++++--- 5 files changed, 33 insertions(+), 23 deletions(-) create mode 100644 charts/cryostat/templates/auth2_proxy.yaml delete mode 100644 charts/cryostat/templates/auth_proxy.yaml diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml new file mode 100644 index 00000000..8d41030a --- /dev/null +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-auth-proxy-secret +data: + users.auth_proxy_htpasswd: {{ .Files.Get "templates/auth_proxy_htpasswd" | b64enc | quote }} diff --git a/charts/cryostat/templates/auth_proxy.yaml b/charts/cryostat/templates/auth_proxy.yaml deleted file mode 100644 index 3abe7558..00000000 --- a/charts/cryostat/templates/auth_proxy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -version: "3" -services: - auth: - depends_on: - cryostat: - condition: service_healthy - deploy: - resources: - limits: - cpus: "0.1" - memory: 1024M - image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest} - ports: - - "8080:8080" - hostname: auth - labels: - kompose.service.expose: "auth" - environment: - OAUTH2_PROXY_HTPASSWD_FILE: ./auth_proxy_htpasswd diff --git a/charts/cryostat/templates/auth_proxy_htpasswd b/charts/cryostat/templates/auth_proxy_htpasswd index 12d0a5ff..0398db4f 100644 --- a/charts/cryostat/templates/auth_proxy_htpasswd +++ b/charts/cryostat/templates/auth_proxy_htpasswd @@ -1 +1 @@ -user:$apr1$XXso02zP$SMduzjhNkMVNp2CgTDSND1 +user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 948ed256..4245cfb5 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -194,6 +194,16 @@ spec: securityContext: {{- toYaml .Values.storage.securityContext | nindent 12 }} {{- if not .Values.minimal }} + - name: {{ printf "%s-%s" .Chart.Name "auth-proxy" }} + securityContext: + {{- toYaml .Values.authProxy.securityContext | nindent 12 }} + image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag }}" + imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }} + args: + - "--config=/etc/oauth2_proxy/oauth2_proxy.cfg" + volumeMounts: + - mountPath: /etc/oauth2_proxy + name: {{ auth-proxy-config }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -257,3 +267,6 @@ spec: - name: {{ .Chart.Name }} emptyDir: {} {{- end }} + - name: auth-proxy-config + secret: + secretName: {{ .Release.Name }}-auth-proxy-secret diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 6bf13025..f0d4f657 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -59,7 +59,7 @@ core: ## @skip core.securityContext.capabilities capabilities: drop: - - ALL + - ALL ## @param core.databaseSecretName Name of the secret to extract password for credentials database. databaseSecretName: "" @@ -164,7 +164,7 @@ grafana: ## @skip grafana.securityContext.capabilities capabilities: drop: - - ALL + - ALL ## @section JFR Data Source Container ## @extra datasource Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana @@ -185,7 +185,7 @@ datasource: ## @skip datasource.securityContext.capabilities capabilities: drop: - - ALL + - ALL ## @section Authentication @@ -198,6 +198,16 @@ authentication: ## @param authentication.basicAuth.filename Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** filename: "" +oauth2Proxy: + ## @param authentication.oauth2Proxy.enabled Whether Cryostat should use OAuth2 Proxy for authentication. When true, Cryostat will authenticate users via OAuth2 Proxy. + enabled: true + ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication + htpasswdFile: "templates/auth_proxy_htpasswd" + ## @param authentication.oauth2Proxy.cookieSecret Secret key for encrypting OAuth2 Proxy cookies + cookieSecret: __24_BYTE_COOKIE_SECRET_ + ## @param authentication.oauth2Proxy.redirectURL OAuth2 Proxy redirect URL (e.g., "https://cryostat.yourdomain.com/oauth2/callback") + redirectURL: "http://localhost:8181/oauth2/callback" + ## @section Other Parameters ## @param minimal Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source From 2a33c6a53e0745dbba0d5be1d63d8283e6ea058d Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Mon, 22 Jan 2024 21:14:11 -0500 Subject: [PATCH 05/25] removed args on auth2_proxy on deployment.yaml --- charts/cryostat/templates/deployment.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 4245cfb5..5274ce77 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -199,8 +199,6 @@ spec: {{- toYaml .Values.authProxy.securityContext | nindent 12 }} image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag }}" imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }} - args: - - "--config=/etc/oauth2_proxy/oauth2_proxy.cfg" volumeMounts: - mountPath: /etc/oauth2_proxy name: {{ auth-proxy-config }} From 904da009eb3bc48d97327aba4b2d020af444e1bd Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 24 Jan 2024 11:58:59 -0500 Subject: [PATCH 06/25] resolved issues --- charts/cryostat/templates/_helpers.tpl | 11 ++++++++++ charts/cryostat/templates/deployment.yaml | 26 +++++++++++++++++------ charts/cryostat/values.yaml | 19 ++++++++++++++--- 3 files changed, 47 insertions(+), 9 deletions(-) diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index e97109b9..dc76bf86 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -114,3 +114,14 @@ Get or generate a default secret key for object storage {{- (randAlphaNum 32) | b64enc | quote -}} {{- end -}} {{- end -}} + +{{/* +Generate a default value for cookieSecret. +*/}} +{{- define "cryostat.defaultCookieSecret" -}} +{{- if .Values.oauth2Proxy.cookieSecret }} +{{- .Values.oauth2Proxy.cookieSecret | quote }} +{{- else }} +{{- (randAlphaNum 24) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 5274ce77..2aa01e04 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -194,14 +194,23 @@ spec: securityContext: {{- toYaml .Values.storage.securityContext | nindent 12 }} {{- if not .Values.minimal }} - - name: {{ printf "%s-%s" .Chart.Name "auth-proxy" }} + - name: {{ printf "%s-%s" .Chart.Name "oauth2proxy" }} securityContext: - {{- toYaml .Values.authProxy.securityContext | nindent 12 }} - image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag }}" - imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }} + {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }} + image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" + imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} + env: + - name: CRYOSTAT_OAUTH2PROXY_URL + value: "http://localhost:8181/oauth2/callback" volumeMounts: - - mountPath: /etc/oauth2_proxy - name: {{ auth-proxy-config }} + - name: auth-proxy-config + mountPath: /etc/oauth2_proxy + readOnly: true + {{- if .Values.authentication.basicAuth.enabled }} + - name: basic-auth-secret + mountPath: /etc/oauth2_proxy/basic-auth-secret + readOnly: true + {{- end }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -268,3 +277,8 @@ spec: - name: auth-proxy-config secret: secretName: {{ .Release.Name }}-auth-proxy-secret + {{- if .Values.authentication.basicAuth.enabled }} + - name: basic-auth-secret + secret: + secretName: {{ .Values.authentication.basicAuth.secretName }} + {{- end }} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index f0d4f657..38ee285d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -204,9 +204,22 @@ oauth2Proxy: ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication htpasswdFile: "templates/auth_proxy_htpasswd" ## @param authentication.oauth2Proxy.cookieSecret Secret key for encrypting OAuth2 Proxy cookies - cookieSecret: __24_BYTE_COOKIE_SECRET_ - ## @param authentication.oauth2Proxy.redirectURL OAuth2 Proxy redirect URL (e.g., "https://cryostat.yourdomain.com/oauth2/callback") - redirectURL: "http://localhost:8181/oauth2/callback" + cookieSecret: { { include "cryostat.defaultCookieSecret" . } } + image: + ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image + repository: "quay.io/cryostat/oauth2-proxy" + ## @param authentication.oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image + pullPolicy: Always + ## @param authentication.oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image + tag: "latest" + ## @param authentication.oauth2proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + securityContext: + ## @skip authentication.oauth2proxy.securityContext.allowPrivilegeEscalation + allowPrivilegeEscalation: false + ## @skip authentication.oauth2proxy.securityContext.capabilities + capabilities: + drop: + - ALL ## @section Other Parameters From 09f386263d5d442578c2aa5e73e05db06110d4a0 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 24 Jan 2024 16:14:56 -0500 Subject: [PATCH 07/25] resolved issues 2 --- charts/cryostat/templates/deployment.yaml | 2 +- charts/cryostat/values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 2aa01e04..f2086096 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -200,7 +200,7 @@ spec: image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - - name: CRYOSTAT_OAUTH2PROXY_URL + - name: redirectURL value: "http://localhost:8181/oauth2/callback" volumeMounts: - name: auth-proxy-config diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 38ee285d..c719761c 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -82,7 +82,7 @@ db: ## @skip db.securityContext.capabilities capabilities: drop: - - ALL + - ALL ## @section Storage Container ## @extra Configuration for Cryostat's object storage provider @@ -103,7 +103,7 @@ storage: ## @skip storage.securityContext.capabilities capabilities: drop: - - ALL + - ALL ## @section Grafana Container ## @extra grafana Configuration for the customized Grafana instance for Cryostat @@ -207,7 +207,7 @@ oauth2Proxy: cookieSecret: { { include "cryostat.defaultCookieSecret" . } } image: ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image - repository: "quay.io/cryostat/oauth2-proxy" + repository: "quay.io/oauth2-proxy/oauth2-proxy" ## @param authentication.oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image pullPolicy: Always ## @param authentication.oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image From b3cb431b2b3796adcb92a30545fb3ff7be03c998 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 24 Jan 2024 17:32:08 -0500 Subject: [PATCH 08/25] provide right name for url:env variable --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index f2086096..3fb24596 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -200,7 +200,7 @@ spec: image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - - name: redirectURL + - name: OAUTH2_PROXY_REDIRECT_URL value: "http://localhost:8181/oauth2/callback" volumeMounts: - name: auth-proxy-config From 08f920d384db1db441ebe6555861c524927e223f Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 24 Jan 2024 18:36:27 -0500 Subject: [PATCH 09/25] right port --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 3fb24596..16237774 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -201,7 +201,7 @@ spec: imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - name: OAUTH2_PROXY_REDIRECT_URL - value: "http://localhost:8181/oauth2/callback" + value: "http://localhost:8080/oauth2/callback" volumeMounts: - name: auth-proxy-config mountPath: /etc/oauth2_proxy From 5afef79ef707819832706eeeddbf90c2f3004632 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 25 Jan 2024 12:50:07 -0500 Subject: [PATCH 10/25] resolved issues --- charts/cryostat/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index c719761c..66173ca9 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -203,8 +203,6 @@ oauth2Proxy: enabled: true ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication htpasswdFile: "templates/auth_proxy_htpasswd" - ## @param authentication.oauth2Proxy.cookieSecret Secret key for encrypting OAuth2 Proxy cookies - cookieSecret: { { include "cryostat.defaultCookieSecret" . } } image: ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image repository: "quay.io/oauth2-proxy/oauth2-proxy" From 206df7d0c2a6b3b4182b44f5265d0697bfe56a64 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 25 Jan 2024 13:32:53 -0500 Subject: [PATCH 11/25] resolved file access issue --- charts/cryostat/{templates => }/auth_proxy_htpasswd | 0 charts/cryostat/templates/auth2_proxy.yaml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename charts/cryostat/{templates => }/auth_proxy_htpasswd (100%) diff --git a/charts/cryostat/templates/auth_proxy_htpasswd b/charts/cryostat/auth_proxy_htpasswd similarity index 100% rename from charts/cryostat/templates/auth_proxy_htpasswd rename to charts/cryostat/auth_proxy_htpasswd diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 8d41030a..576e580c 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,4 +3,4 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - users.auth_proxy_htpasswd: {{ .Files.Get "templates/auth_proxy_htpasswd" | b64enc | quote }} + auth_proxy_htpasswd: {{ .Files.Get "auth_proxy_htpasswd" | b64enc | quote }} From 19908aaf5354b43cbb7e40aa481cab154e1e5aa0 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 26 Jan 2024 13:50:22 -0500 Subject: [PATCH 12/25] resolved issues and added UPSTREAM_CONFIG --- charts/cryostat/templates/_helpers.tpl | 28 +++++++++++++++++----- charts/cryostat/templates/auth2_proxy.yaml | 3 ++- charts/cryostat/templates/deployment.yaml | 12 ++++++++++ charts/cryostat/values.yaml | 2 ++ 4 files changed, 38 insertions(+), 7 deletions(-) diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index dc76bf86..31ac5c35 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -116,12 +116,28 @@ Get or generate a default secret key for object storage {{- end -}} {{/* -Generate a default value for cookieSecret. +Generate or retrieve a default value for cookieSecret. */}} -{{- define "cryostat.defaultCookieSecret" -}} -{{- if .Values.oauth2Proxy.cookieSecret }} -{{- .Values.oauth2Proxy.cookieSecret | quote }} -{{- else }} -{{- (randAlphaNum 24) | b64enc | quote }} +{{- define "cryostat.cookieSecret" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use the current secret. Do not regenerate. +*/}} +{{- $secret.data.COOKIE_SECRET | b64dec | quote -}} +{{- else -}} +{{/* + Generate a new secret. +*/}} +{{- $newSecret := randAlphaNum 24 | b64enc -}} +{{- $newSecret | quote -}} +{{- end }} {{- end }} + +{{/* +Encode a string to base64. +*/}} +{{- define "cryostat.base64Encode" -}} +{{- $data := . -}} +{{- printf "%s" $data | b64enc | quote -}} {{- end }} diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 576e580c..74f8328c 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,4 +3,5 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - auth_proxy_htpasswd: {{ .Files.Get "auth_proxy_htpasswd" | b64enc | quote }} + auth_proxy_htpasswd: {{ include "cryostat.base64Encode" (.Files.Get "auth_proxy_htpasswd") }} + alphaconfig.cfg: {{ include "cryostat.base64Encode" "proxy-raw-path=true" }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 16237774..e8a50d01 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -202,6 +202,18 @@ spec: env: - name: OAUTH2_PROXY_REDIRECT_URL value: "http://localhost:8080/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + value: {{ include "cryostat.cookieSecret" . }} + - name: OAUTH2_PROXY_PROVIDER + value: "google" + - name: OAUTH2_PROXY_CLIENT_ID + value: "CLIENT_ID" + - name: OAUTH2_PROXY_CLIENT_SECRET + value: "CLIENT_SECRET" + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: UPSTREAM_CONFIG + value: {{ include "cryostat.base64Encode" "proxyRawPath: true" }} volumeMounts: - name: auth-proxy-config mountPath: /etc/oauth2_proxy diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 66173ca9..d6640b6f 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -218,6 +218,8 @@ oauth2Proxy: capabilities: drop: - ALL + upstreamConfig: + proxyRawPath: true ## @section Other Parameters From 63e999136857069c5830c73c90d90ac41e282c58 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Tue, 30 Jan 2024 17:55:08 -0500 Subject: [PATCH 13/25] added alpha file --- charts/cryostat/Chart.yaml | 32 +++++++++---------- charts/cryostat/templates/_helpers.tpl | 8 ----- charts/cryostat/templates/auth2_proxy.yaml | 3 +- .../templates/auth_proxy_alpha_config.yaml | 9 ++++++ charts/cryostat/templates/deployment.yaml | 10 ++++-- charts/cryostat/values.yaml | 7 ++-- 6 files changed, 38 insertions(+), 31 deletions(-) create mode 100644 charts/cryostat/templates/auth_proxy_alpha_config.yaml diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index 4be55185..dc540a66 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -15,23 +15,23 @@ home: "https://cryostat.io" icon: "https://raw.githubusercontent.com/cryostatio/cryostat-helm/main/docs/images/cryostat-icon.svg" keywords: -- flightrecorder -- java -- jdk -- jfr -- jmc -- missioncontrol -- monitoring -- profiling -- diagnostic + - flightrecorder + - java + - jdk + - jfr + - jmc + - missioncontrol + - monitoring + - profiling + - diagnostic sources: -- https://github.com/cryostatio/cryostat -- https://github.com/cryostatio/cryostat-core -- https://github.com/cryostatio/cryostat-web -- https://github.com/cryostatio/jfr-datasource -- https://github.com/cryostatio/cryostat-grafana-dashboard + - https://github.com/cryostatio/cryostat + - https://github.com/cryostatio/cryostat-core + - https://github.com/cryostatio/cryostat-web + - https://github.com/cryostatio/jfr-datasource + - https://github.com/cryostatio/cryostat-grafana-dashboard maintainers: -- name: The Cryostat Community - url: https://groups.google.com/g/cryostat-development + - name: The Cryostat Community + url: https://groups.google.com/g/cryostat-development diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 31ac5c35..957df02c 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -133,11 +133,3 @@ Generate or retrieve a default value for cookieSecret. {{- $newSecret | quote -}} {{- end }} {{- end }} - -{{/* -Encode a string to base64. -*/}} -{{- define "cryostat.base64Encode" -}} -{{- $data := . -}} -{{- printf "%s" $data | b64enc | quote -}} -{{- end }} diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 74f8328c..576e580c 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,5 +3,4 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - auth_proxy_htpasswd: {{ include "cryostat.base64Encode" (.Files.Get "auth_proxy_htpasswd") }} - alphaconfig.cfg: {{ include "cryostat.base64Encode" "proxy-raw-path=true" }} + auth_proxy_htpasswd: {{ .Files.Get "auth_proxy_htpasswd" | b64enc | quote }} diff --git a/charts/cryostat/templates/auth_proxy_alpha_config.yaml b/charts/cryostat/templates/auth_proxy_alpha_config.yaml new file mode 100644 index 00000000..4c784a33 --- /dev/null +++ b/charts/cryostat/templates/auth_proxy_alpha_config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: auth-proxy-alpha-config +data: + server: | + BindAddress: http://0.0.0.0:4180 + upstreamConfig: | + proxyRawPath: true diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index e8a50d01..187dd557 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -198,6 +198,8 @@ spec: securityContext: {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }} image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" + args: + - "--alpha-config=/etc/oauth2_proxy/auth_proxy_alpha_config/auth_proxy_alpha_config.yaml" imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - name: OAUTH2_PROXY_REDIRECT_URL @@ -212,12 +214,12 @@ spec: value: "CLIENT_SECRET" - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" - - name: UPSTREAM_CONFIG - value: {{ include "cryostat.base64Encode" "proxyRawPath: true" }} volumeMounts: - name: auth-proxy-config mountPath: /etc/oauth2_proxy readOnly: true + - name: alpha-config + mountPath: /etc/oauth2_proxy/auth_proxy_alpha_config {{- if .Values.authentication.basicAuth.enabled }} - name: basic-auth-secret mountPath: /etc/oauth2_proxy/basic-auth-secret @@ -286,6 +288,9 @@ spec: - name: {{ .Chart.Name }} emptyDir: {} {{- end }} + - name: alpha-config + configMap: + name: auth-proxy-alpha-config - name: auth-proxy-config secret: secretName: {{ .Release.Name }}-auth-proxy-secret @@ -294,3 +299,4 @@ spec: secret: secretName: {{ .Values.authentication.basicAuth.secretName }} {{- end }} + \ No newline at end of file diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index d6640b6f..b02ea569 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -202,7 +202,10 @@ oauth2Proxy: ## @param authentication.oauth2Proxy.enabled Whether Cryostat should use OAuth2 Proxy for authentication. When true, Cryostat will authenticate users via OAuth2 Proxy. enabled: true ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication - htpasswdFile: "templates/auth_proxy_htpasswd" + htpasswdFile: "auth_proxy_htpasswd" + alphaConfig: + enabled: true + configFile: "templates/auth_proxy_alpha_config.yaml" image: ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image repository: "quay.io/oauth2-proxy/oauth2-proxy" @@ -218,8 +221,6 @@ oauth2Proxy: capabilities: drop: - ALL - upstreamConfig: - proxyRawPath: true ## @section Other Parameters From 932d8a465ad360576416143da14ed6e1837849b9 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 31 Jan 2024 11:22:52 -0500 Subject: [PATCH 14/25] added alpha config; put storage and grafana behind auth2proxy --- .../templates/auth_proxy_alpha_config.yaml | 26 ++++++++++++++++--- charts/cryostat/templates/deployment.yaml | 8 +----- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/charts/cryostat/templates/auth_proxy_alpha_config.yaml b/charts/cryostat/templates/auth_proxy_alpha_config.yaml index 4c784a33..f5fcbdb1 100644 --- a/charts/cryostat/templates/auth_proxy_alpha_config.yaml +++ b/charts/cryostat/templates/auth_proxy_alpha_config.yaml @@ -3,7 +3,27 @@ kind: ConfigMap metadata: name: auth-proxy-alpha-config data: - server: | - BindAddress: http://0.0.0.0:4180 upstreamConfig: | - proxyRawPath: true + server: + BindAddress: http://0.0.0.0:8080 + upstreamConfig: + proxyRawPath: true + upstreams: + - id: cryostat + path: / + uri: http://cryostat:8181 + - id: grafana + path: /grafana/ + uri: http://grafana:3000 + - id: storage + path: ^/storage/(.*)$ + rewriteTarget: /$1 + uri: http://s3:3000 + passHostHeader: false + proxyWebSockets: false + providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 187dd557..b5b64a69 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -199,19 +199,13 @@ spec: {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }} image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" args: - - "--alpha-config=/etc/oauth2_proxy/auth_proxy_alpha_config/auth_proxy_alpha_config.yaml" + - "--alpha-config=/etc/oauth2_proxy/auth_proxy_alpha_config/upstreamConfig" imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - name: OAUTH2_PROXY_REDIRECT_URL value: "http://localhost:8080/oauth2/callback" - name: OAUTH2_PROXY_COOKIE_SECRET value: {{ include "cryostat.cookieSecret" . }} - - name: OAUTH2_PROXY_PROVIDER - value: "google" - - name: OAUTH2_PROXY_CLIENT_ID - value: "CLIENT_ID" - - name: OAUTH2_PROXY_CLIENT_SECRET - value: "CLIENT_SECRET" - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" volumeMounts: From 4a646d55cfdcd2ff2443c330fc672cbf09e852b7 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 31 Jan 2024 11:31:55 -0500 Subject: [PATCH 15/25] unformat chart.yaml on save --- charts/cryostat/Chart.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index dc540a66..4be55185 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -15,23 +15,23 @@ home: "https://cryostat.io" icon: "https://raw.githubusercontent.com/cryostatio/cryostat-helm/main/docs/images/cryostat-icon.svg" keywords: - - flightrecorder - - java - - jdk - - jfr - - jmc - - missioncontrol - - monitoring - - profiling - - diagnostic +- flightrecorder +- java +- jdk +- jfr +- jmc +- missioncontrol +- monitoring +- profiling +- diagnostic sources: - - https://github.com/cryostatio/cryostat - - https://github.com/cryostatio/cryostat-core - - https://github.com/cryostatio/cryostat-web - - https://github.com/cryostatio/jfr-datasource - - https://github.com/cryostatio/cryostat-grafana-dashboard +- https://github.com/cryostatio/cryostat +- https://github.com/cryostatio/cryostat-core +- https://github.com/cryostatio/cryostat-web +- https://github.com/cryostatio/jfr-datasource +- https://github.com/cryostatio/cryostat-grafana-dashboard maintainers: - - name: The Cryostat Community - url: https://groups.google.com/g/cryostat-development +- name: The Cryostat Community + url: https://groups.google.com/g/cryostat-development From bb17a8beb70a0d18b73c2a9ff3dbd524a06d704a Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Mon, 5 Feb 2024 11:34:26 -0500 Subject: [PATCH 16/25] added alpha_config as a yaml file --- .../{auth_proxy_alpha_config.yaml => alpha_config.yaml} | 6 +++--- charts/cryostat/templates/auth2_proxy.yaml | 2 +- charts/cryostat/templates/deployment.yaml | 6 +++--- charts/cryostat/values.yaml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) rename charts/cryostat/templates/{auth_proxy_alpha_config.yaml => alpha_config.yaml} (86%) diff --git a/charts/cryostat/templates/auth_proxy_alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml similarity index 86% rename from charts/cryostat/templates/auth_proxy_alpha_config.yaml rename to charts/cryostat/templates/alpha_config.yaml index f5fcbdb1..9da08c6b 100644 --- a/charts/cryostat/templates/auth_proxy_alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: ConfigMap metadata: - name: auth-proxy-alpha-config + name: {{ .Release.Name }}-alpha-config data: - upstreamConfig: | + alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:8080 upstreamConfig: @@ -18,7 +18,7 @@ data: - id: storage path: ^/storage/(.*)$ rewriteTarget: /$1 - uri: http://s3:3000 + uri: http://s3:8333 passHostHeader: false proxyWebSockets: false providers: diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 576e580c..69d6caeb 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,4 +3,4 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - auth_proxy_htpasswd: {{ .Files.Get "auth_proxy_htpasswd" | b64enc | quote }} + auth_proxy_htpasswd: {{ .Files.Get ".oauth2proxy.htpasswdFile" | b64enc | quote }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index b5b64a69..7843be1c 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -199,7 +199,7 @@ spec: {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }} image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" args: - - "--alpha-config=/etc/oauth2_proxy/auth_proxy_alpha_config/upstreamConfig" + - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - name: OAUTH2_PROXY_REDIRECT_URL @@ -213,7 +213,7 @@ spec: mountPath: /etc/oauth2_proxy readOnly: true - name: alpha-config - mountPath: /etc/oauth2_proxy/auth_proxy_alpha_config + mountPath: /etc/oauth2_proxy/alpha_config {{- if .Values.authentication.basicAuth.enabled }} - name: basic-auth-secret mountPath: /etc/oauth2_proxy/basic-auth-secret @@ -284,7 +284,7 @@ spec: {{- end }} - name: alpha-config configMap: - name: auth-proxy-alpha-config + name: {{ .Release.Name }}-alpha-config - name: auth-proxy-config secret: secretName: {{ .Release.Name }}-auth-proxy-secret diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b02ea569..832eec48 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -205,7 +205,7 @@ oauth2Proxy: htpasswdFile: "auth_proxy_htpasswd" alphaConfig: enabled: true - configFile: "templates/auth_proxy_alpha_config.yaml" + configFile: "templates/alpha_config.yaml" image: ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image repository: "quay.io/oauth2-proxy/oauth2-proxy" From 7f2d7de82fc8b8690e4def0cda07e19062257180 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 8 Feb 2024 09:41:41 -0500 Subject: [PATCH 17/25] bind to port 4180 --- charts/cryostat/templates/alpha_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 9da08c6b..07f6bf05 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -5,7 +5,7 @@ metadata: data: alpha_config.yaml: |- server: - BindAddress: http://0.0.0.0:8080 + BindAddress: http://0.0.0.0:4180 upstreamConfig: proxyRawPath: true upstreams: From b23d24f1e486361cae53ae8cf0defea8042d1b9a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 8 Feb 2024 09:47:34 -0500 Subject: [PATCH 18/25] hack: run storage as non-root user --- charts/cryostat/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 832eec48..cb0cc69b 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -98,6 +98,8 @@ storage: resources: {} ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: + ## @skip storage.securityContext.runAsUser + runAsUser: 1000 ## @skip storage.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @skip storage.securityContext.capabilities From 9d2ba391e98367cf9408e28c1447481a7d1c7b9b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 8 Feb 2024 10:21:05 -0500 Subject: [PATCH 19/25] Revert "hack: run storage as non-root user" This reverts commit b23d24f1e486361cae53ae8cf0defea8042d1b9a. --- charts/cryostat/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index cb0cc69b..832eec48 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -98,8 +98,6 @@ storage: resources: {} ## @param storage.securityContext [object] Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: - ## @skip storage.securityContext.runAsUser - runAsUser: 1000 ## @skip storage.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @skip storage.securityContext.capabilities From 567c26f92bddb17e138c6d01c2f77130d42ec806 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 8 Feb 2024 12:18:52 -0500 Subject: [PATCH 20/25] hack: get authproxy running with basic auth in front of cryostat --- charts/cryostat/templates/alpha_config.yaml | 6 +++--- charts/cryostat/templates/auth2_proxy.yaml | 4 +++- charts/cryostat/templates/deployment.yaml | 7 +++++-- charts/cryostat/templates/route.yaml | 2 +- charts/cryostat/templates/service.yaml | 2 +- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 07f6bf05..e86013b8 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -11,14 +11,14 @@ data: upstreams: - id: cryostat path: / - uri: http://cryostat:8181 + uri: http://localhost:8181 - id: grafana path: /grafana/ - uri: http://grafana:3000 + uri: http://localhost:3000 - id: storage path: ^/storage/(.*)$ rewriteTarget: /$1 - uri: http://s3:8333 + uri: http://localhost:8333 passHostHeader: false proxyWebSockets: false providers: diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 69d6caeb..11175b3f 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,4 +3,6 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - auth_proxy_htpasswd: {{ .Files.Get ".oauth2proxy.htpasswdFile" | b64enc | quote }} + # auth_proxy_htpasswd: {{ .Files.Get ".oauth2proxy.htpasswdFile" | b64enc | quote }} + # FIXME this is a hack, the user definition should be pulled out of values.yaml: .authentication.basicAuth + auth_proxy_htpasswd: {{ "user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS" | b64enc | quote }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 7843be1c..4ecf7d10 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -203,11 +203,15 @@ spec: imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} env: - name: OAUTH2_PROXY_REDIRECT_URL - value: "http://localhost:8080/oauth2/callback" + value: "http://localhost:4180/oauth2/callback" - name: OAUTH2_PROXY_COOKIE_SECRET value: {{ include "cryostat.cookieSecret" . }} - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/auth_proxy_htpasswd + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write volumeMounts: - name: auth-proxy-config mountPath: /etc/oauth2_proxy @@ -293,4 +297,3 @@ spec: secret: secretName: {{ .Values.authentication.basicAuth.secretName }} {{- end }} - \ No newline at end of file diff --git a/charts/cryostat/templates/route.yaml b/charts/cryostat/templates/route.yaml index aa4a389c..1e5b01ba 100644 --- a/charts/cryostat/templates/route.yaml +++ b/charts/cryostat/templates/route.yaml @@ -46,7 +46,7 @@ spec: {{- $fullName := include "cryostat.fullname" . -}} {{- if .Values.core.route.enabled }} -{{- include "createRoute" (list $fullName 8181 $ .Values.core)}} +{{- include "createRoute" (list $fullName 4180 $ .Values.core)}} {{- end }} {{- if and (not .Values.minimal) .Values.grafana.route.enabled }} {{- include "createRoute" (list (printf "%s-%s" $fullName "grafana") 3000 $ .Values.grafana)}} diff --git a/charts/cryostat/templates/service.yaml b/charts/cryostat/templates/service.yaml index 8bbc9eb2..62fb5d98 100644 --- a/charts/cryostat/templates/service.yaml +++ b/charts/cryostat/templates/service.yaml @@ -10,7 +10,7 @@ spec: type: {{ .Values.core.service.type }} ports: - port: {{ .Values.core.service.httpPort }} - targetPort: 8181 + targetPort: 4180 protocol: TCP name: cryostat-http - port: {{ .Values.core.service.jmxPort }} From 16cef6e3959fd570de9f44fee7c9add78173ff91 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 9 Feb 2024 11:13:25 -0500 Subject: [PATCH 21/25] resolved issues --- charts/cryostat/auth_proxy_htpasswd | 1 - charts/cryostat/templates/auth2_proxy.yaml | 4 +--- charts/cryostat/templates/deployment.yaml | 6 ++++-- charts/cryostat/values.yaml | 4 ---- 4 files changed, 5 insertions(+), 10 deletions(-) delete mode 100644 charts/cryostat/auth_proxy_htpasswd diff --git a/charts/cryostat/auth_proxy_htpasswd b/charts/cryostat/auth_proxy_htpasswd deleted file mode 100644 index 0398db4f..00000000 --- a/charts/cryostat/auth_proxy_htpasswd +++ /dev/null @@ -1 +0,0 @@ -user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml index 11175b3f..e49b4b1b 100644 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ b/charts/cryostat/templates/auth2_proxy.yaml @@ -3,6 +3,4 @@ kind: Secret metadata: name: {{ .Release.Name }}-auth-proxy-secret data: - # auth_proxy_htpasswd: {{ .Files.Get ".oauth2proxy.htpasswdFile" | b64enc | quote }} - # FIXME this is a hack, the user definition should be pulled out of values.yaml: .authentication.basicAuth - auth_proxy_htpasswd: {{ "user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS" | b64enc | quote }} + auth_proxy_htpasswd: {{ .Values.authentication.basicAuth.secretName | b64enc | quote }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 4ecf7d10..88536bdf 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -208,10 +208,12 @@ spec: value: {{ include "cryostat.cookieSecret" . }} - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" - - name: OAUTH2_PROXY_HTPASSWD_FILE - value: /etc/oauth2_proxy/auth_proxy_htpasswd - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP value: write + {{- if not .Values.authentication.basicAuth.enabled }} + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: ".*" + {{- end }} volumeMounts: - name: auth-proxy-config mountPath: /etc/oauth2_proxy diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 832eec48..90b0cb34 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -202,10 +202,6 @@ oauth2Proxy: ## @param authentication.oauth2Proxy.enabled Whether Cryostat should use OAuth2 Proxy for authentication. When true, Cryostat will authenticate users via OAuth2 Proxy. enabled: true ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication - htpasswdFile: "auth_proxy_htpasswd" - alphaConfig: - enabled: true - configFile: "templates/alpha_config.yaml" image: ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image repository: "quay.io/oauth2-proxy/oauth2-proxy" From 9ae5fdb40176780ccf653d257dad7389dbefe7ef Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 9 Feb 2024 12:20:44 -0500 Subject: [PATCH 22/25] remove hardcoded user:pass auth, configure for switchable/optional user-supplied htpasswd --- charts/cryostat/templates/auth2_proxy.yaml | 6 ------ charts/cryostat/templates/deployment.yaml | 18 ++++++++---------- 2 files changed, 8 insertions(+), 16 deletions(-) delete mode 100644 charts/cryostat/templates/auth2_proxy.yaml diff --git a/charts/cryostat/templates/auth2_proxy.yaml b/charts/cryostat/templates/auth2_proxy.yaml deleted file mode 100644 index e49b4b1b..00000000 --- a/charts/cryostat/templates/auth2_proxy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-auth-proxy-secret -data: - auth_proxy_htpasswd: {{ .Values.authentication.basicAuth.secretName | b64enc | quote }} diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 88536bdf..d420158d 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -208,21 +208,22 @@ spec: value: {{ include "cryostat.cookieSecret" . }} - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" + {{- if .Values.authentication.basicAuth.enabled }} - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }} + {{- end }} {{- if not .Values.authentication.basicAuth.enabled }} - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES value: ".*" - {{- end }} + {{- end }} volumeMounts: - - name: auth-proxy-config - mountPath: /etc/oauth2_proxy - readOnly: true - name: alpha-config mountPath: /etc/oauth2_proxy/alpha_config {{- if .Values.authentication.basicAuth.enabled }} - - name: basic-auth-secret - mountPath: /etc/oauth2_proxy/basic-auth-secret + - name: {{ .Release.Name }}-htpasswd + mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} @@ -291,11 +292,8 @@ spec: - name: alpha-config configMap: name: {{ .Release.Name }}-alpha-config - - name: auth-proxy-config - secret: - secretName: {{ .Release.Name }}-auth-proxy-secret {{- if .Values.authentication.basicAuth.enabled }} - - name: basic-auth-secret + - name: {{ .Release.Name }}-htpasswd secret: secretName: {{ .Values.authentication.basicAuth.secretName }} {{- end }} From 56f406b296d63335cd07821bf6f8b76ec5a14ddb Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 9 Feb 2024 14:13:59 -0500 Subject: [PATCH 23/25] documentation + readme --- charts/cryostat/README.md | 20 ++++++--- charts/cryostat/values.schema.json | 70 +++++++++++++++++++++++++----- charts/cryostat/values.yaml | 19 ++++---- 3 files changed, 84 insertions(+), 25 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 8f876ba8..785f370c 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -99,11 +99,21 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op ### Authentication -| Name | Description | Value | -| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | -| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | -| `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` | +| Name | Description | Value | +| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | +| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | +| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` | + + +### OAuth2 Proxy + +| Name | Description | Value | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Other Parameters diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index e91382c2..adae1c2b 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -529,23 +529,53 @@ } } }, - "podSecurityContext": { + "oauth2Proxy": { "type": "object", "properties": { - "seccompProfile": { + "securityContext": { "type": "object", "properties": { - "type": { - "type": "string", + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "description": "", + "default": [ + "ALL" + ], + "items": { + "type": "string" + } + } + } + }, + "allowPrivilegeEscalation": { + "type": "boolean", "description": "", - "default": "RuntimeDefault" + "default": false } } }, - "runAsNonRoot": { - "type": "boolean", - "description": "", - "default": true + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "Repository for the OAuth2 Proxy container image", + "default": "quay.io/oauth2-proxy/oauth2-proxy" + }, + "pullPolicy": { + "type": "string", + "description": "Image pull policy for the OAuth2 Proxy container image", + "default": "Always" + }, + "tag": { + "type": "string", + "description": "Tag for the OAuth2 Proxy container image", + "default": "latest" + } + } } } }, @@ -567,13 +597,33 @@ }, "filename": { "type": "string", - "description": "Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax \"user=passHex\", where \"user\" is the username and \"passHex\" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**", + "description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**", "default": "" } } } } }, + "podSecurityContext": { + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string", + "description": "", + "default": "RuntimeDefault" + } + } + }, + "runAsNonRoot": { + "type": "boolean", + "description": "", + "default": true + } + } + }, "minimal": { "type": "boolean", "description": "Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source", diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 90b0cb34..db228fdf 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -195,25 +195,24 @@ authentication: enabled: false ## @param authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** secretName: "" - ## @param authentication.basicAuth.filename Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** + ## @param authentication.basicAuth.filename Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** filename: "" +## @section OAuth2 Proxy + oauth2Proxy: - ## @param authentication.oauth2Proxy.enabled Whether Cryostat should use OAuth2 Proxy for authentication. When true, Cryostat will authenticate users via OAuth2 Proxy. - enabled: true - ## @param authentication.oauth2Proxy.htpasswdFile Path to the htpasswd file for additional user authentication image: - ## @param authentication.oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image + ## @param oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image repository: "quay.io/oauth2-proxy/oauth2-proxy" - ## @param authentication.oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image + ## @param oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image pullPolicy: Always - ## @param authentication.oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image + ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" - ## @param authentication.oauth2proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) + ## @param oauth2proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) securityContext: - ## @skip authentication.oauth2proxy.securityContext.allowPrivilegeEscalation + ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false - ## @skip authentication.oauth2proxy.securityContext.capabilities + ## @skip oauth2Proxy.securityContext.capabilities capabilities: drop: - ALL From 4b9cf3423c298e7cd357eb7dd75f6fc79d2eae94 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 9 Feb 2024 14:32:06 -0500 Subject: [PATCH 24/25] update STORAGE_EXT_URL to include storage container subpath --- charts/cryostat/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index b3272213..7419d829 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -7,7 +7,7 @@ ``` {{- if .Values.core.route.enabled }} export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}") -{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }} +{{- $envVars = list "STORAGE_EXT_URL=http://$ROUTE_HOST/storage" }} {{- else if .Values.core.ingress.enabled }} {{- /* Do nothing */}} {{- else if contains "NodePort" .Values.core.service.type }} From 07c62ea3f70ba43c1dd970b9cde1a0fea7856fe2 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 13 Feb 2024 17:10:20 -0500 Subject: [PATCH 25/25] bind cryostat on localhost --- charts/cryostat/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index d420158d..b40a1e4f 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: imagePullPolicy: {{ .Values.core.image.pullPolicy }} env: - name: QUARKUS_HTTP_HOST - value: 0.0.0.0 + value: localhost - name: QUARKUS_HTTP_PORT value: "8181" - name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING