Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cryostat): re-implement basic auth via oauth2-proxy htpasswd config #118

Merged
merged 25 commits into from
Feb 13, 2024
Merged

feat(cryostat): re-implement basic auth via oauth2-proxy htpasswd config #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ece3166
added auth2-proxy and put storage behind auth2-proxy
aali309 Jan 18, 2024
c7be386
added auth2-proxy
aali309 Jan 18, 2024
73514b4
removed command:alpha
aali309 Jan 18, 2024
f1cc809
re-implement
aali309 Jan 22, 2024
2a33c6a
removed args on auth2_proxy on deployment.yaml
aali309 Jan 23, 2024
904da00
resolved issues
aali309 Jan 24, 2024
09f3862
resolved issues 2
aali309 Jan 24, 2024
b3cb431
provide right name for url:env variable
aali309 Jan 24, 2024
08f920d
right port
aali309 Jan 24, 2024
5afef79
resolved issues
aali309 Jan 25, 2024
206df7d
resolved file access issue
aali309 Jan 25, 2024
19908aa
resolved issues and added UPSTREAM_CONFIG
aali309 Jan 26, 2024
63e9991
added alpha file
aali309 Jan 30, 2024
932d8a4
added alpha config; put storage and grafana behind auth2proxy
aali309 Jan 31, 2024
4a646d5
unformat chart.yaml on save
aali309 Jan 31, 2024
bb17a8b
added alpha_config as a yaml file
aali309 Feb 5, 2024
7f2d7de
bind to port 4180
aali309 Feb 8, 2024
b23d24f
hack: run storage as non-root user
andrewazores Feb 8, 2024
9d2ba39
Revert "hack: run storage as non-root user"
andrewazores Feb 8, 2024
567c26f
hack: get authproxy running with basic auth in front of cryostat
andrewazores Feb 8, 2024
16cef6e
resolved issues
aali309 Feb 9, 2024
9ae5fdb
remove hardcoded user:pass auth, configure for switchable/optional us…
andrewazores Feb 9, 2024
56f406b
documentation + readme
andrewazores Feb 9, 2024
4b9cf34
update STORAGE_EXT_URL to include storage container subpath
andrewazores Feb 9, 2024
07c62ea
bind cryostat on localhost
andrewazores Feb 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions charts/cryostat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,11 +99,21 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op

### Authentication

| Name | Description | Value |
| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` |
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` |
| Name | Description | Value |
| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` |
| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` |
| `authentication.basicAuth.filename` | Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)** | `""` |


### OAuth2 Proxy

| Name | Description | Value |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- |
| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` |
| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` |
| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` |
| `oauth2proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |


### Other Parameters
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
```
{{- if .Values.core.route.enabled }}
export ROUTE_HOST=$(oc get route -n {{ .Release.Namespace }} {{ include "cryostat.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
{{- $envVars = list "STORAGE_EXT_URL=$ROUTE_HOST" }}
{{- $envVars = list "STORAGE_EXT_URL=http://$ROUTE_HOST/storage" }}
{{- else if .Values.core.ingress.enabled }}
{{- /* Do nothing */}}
{{- else if contains "NodePort" .Values.core.service.type }}
Expand Down
19 changes: 19 additions & 0 deletions charts/cryostat/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,22 @@ Get or generate a default secret key for object storage
{{- (randAlphaNum 32) | b64enc | quote -}}
{{- end -}}
{{- end -}}

{{/*
Generate or retrieve a default value for cookieSecret.
*/}}
{{- define "cryostat.cookieSecret" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use the current secret. Do not regenerate.
*/}}
{{- $secret.data.COOKIE_SECRET | b64dec | quote -}}
{{- else -}}
{{/*
Generate a new secret.
*/}}
{{- $newSecret := randAlphaNum 24 | b64enc -}}
{{- $newSecret | quote -}}
{{- end }}
{{- end }}
29 changes: 29 additions & 0 deletions charts/cryostat/templates/alpha_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-alpha-config
data:
alpha_config.yaml: |-
server:
BindAddress: http://0.0.0.0:4180
upstreamConfig:
proxyRawPath: true
upstreams:
- id: cryostat
path: /
uri: http://localhost:8181
- id: grafana
path: /grafana/
uri: http://localhost:3000
- id: storage
path: ^/storage/(.*)$
rewriteTarget: /$1
uri: http://localhost:8333
passHostHeader: false
proxyWebSockets: false
providers:
- id: dummy
name: Unused - Sign In Below
clientId: CLIENT_ID
clientSecret: CLIENT_SECRET
provider: google
42 changes: 41 additions & 1 deletion charts/cryostat/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ spec:
imagePullPolicy: {{ .Values.core.image.pullPolicy }}
env:
- name: QUARKUS_HTTP_HOST
value: 0.0.0.0
value: localhost
- name: QUARKUS_HTTP_PORT
value: "8181"
- name: QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING
Expand Down Expand Up @@ -194,6 +194,38 @@ spec:
securityContext:
{{- toYaml .Values.storage.securityContext | nindent 12 }}
{{- if not .Values.minimal }}
- name: {{ printf "%s-%s" .Chart.Name "oauth2proxy" }}
securityContext:
{{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }}
image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}"
args:
- "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml"
imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: {{ include "cryostat.cookieSecret" . }}
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
{{- if .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/{{ .Values.authentication.basicAuth.filename }}
{{- end }}
{{- if not .Values.authentication.basicAuth.enabled }}
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: ".*"
{{- end }}
volumeMounts:
- name: alpha-config
mountPath: /etc/oauth2_proxy/alpha_config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- end }}
- name: {{ printf "%s-%s" .Chart.Name "grafana" }}
securityContext:
{{- toYaml .Values.grafana.securityContext | nindent 12 }}
Expand Down Expand Up @@ -257,3 +289,11 @@ spec:
- name: {{ .Chart.Name }}
emptyDir: {}
{{- end }}
- name: alpha-config
configMap:
name: {{ .Release.Name }}-alpha-config
{{- if .Values.authentication.basicAuth.enabled }}
- name: {{ .Release.Name }}-htpasswd
secret:
secretName: {{ .Values.authentication.basicAuth.secretName }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/cryostat/templates/route.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:

{{- $fullName := include "cryostat.fullname" . -}}
{{- if .Values.core.route.enabled }}
{{- include "createRoute" (list $fullName 8181 $ .Values.core)}}
{{- include "createRoute" (list $fullName 4180 $ .Values.core)}}
{{- end }}
{{- if and (not .Values.minimal) .Values.grafana.route.enabled }}
{{- include "createRoute" (list (printf "%s-%s" $fullName "grafana") 3000 $ .Values.grafana)}}
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ spec:
type: {{ .Values.core.service.type }}
ports:
- port: {{ .Values.core.service.httpPort }}
targetPort: 8181
targetPort: 4180
protocol: TCP
name: cryostat-http
- port: {{ .Values.core.service.jmxPort }}
Expand Down
70 changes: 60 additions & 10 deletions charts/cryostat/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -529,23 +529,53 @@
}
}
},
"podSecurityContext": {
"oauth2Proxy": {
"type": "object",
"properties": {
"seccompProfile": {
"securityContext": {
"type": "object",
"properties": {
"type": {
"type": "string",
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"description": "",
"default": [
"ALL"
],
"items": {
"type": "string"
}
}
}
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "",
"default": "RuntimeDefault"
"default": false
}
}
},
"runAsNonRoot": {
"type": "boolean",
"description": "",
"default": true
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"description": "Repository for the OAuth2 Proxy container image",
"default": "quay.io/oauth2-proxy/oauth2-proxy"
},
"pullPolicy": {
"type": "string",
"description": "Image pull policy for the OAuth2 Proxy container image",
"default": "Always"
},
"tag": {
"type": "string",
"description": "Tag for the OAuth2 Proxy container image",
"default": "latest"
}
}
}
}
},
Expand All @@ -567,13 +597,33 @@
},
"filename": {
"type": "string",
"description": "Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax \"user=passHex\", where \"user\" is the username and \"passHex\" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**",
"description": "Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax \"user:passHash\", where \"user\" is the username and \"passHash\" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**",
"default": ""
}
}
}
}
},
"podSecurityContext": {
"type": "object",
"properties": {
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "",
"default": "RuntimeDefault"
}
}
},
"runAsNonRoot": {
"type": "boolean",
"description": "",
"default": true
}
}
},
"minimal": {
"type": "boolean",
"description": "Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source",
Expand Down
31 changes: 25 additions & 6 deletions charts/cryostat/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ core:
## @skip core.securityContext.capabilities
capabilities:
drop:
- ALL
- ALL
## @param core.databaseSecretName Name of the secret to extract password for credentials database.
databaseSecretName: ""

Expand All @@ -82,7 +82,7 @@ db:
## @skip db.securityContext.capabilities
capabilities:
drop:
- ALL
- ALL

## @section Storage Container
## @extra Configuration for Cryostat's object storage provider
Expand All @@ -103,7 +103,7 @@ storage:
## @skip storage.securityContext.capabilities
capabilities:
drop:
- ALL
- ALL

## @section Grafana Container
## @extra grafana Configuration for the customized Grafana instance for Cryostat
Expand Down Expand Up @@ -164,7 +164,7 @@ grafana:
## @skip grafana.securityContext.capabilities
capabilities:
drop:
- ALL
- ALL

## @section JFR Data Source Container
## @extra datasource Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana
Expand All @@ -185,7 +185,7 @@ datasource:
## @skip datasource.securityContext.capabilities
capabilities:
drop:
- ALL
- ALL

## @section Authentication

Expand All @@ -195,9 +195,28 @@ authentication:
enabled: false
## @param authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**
secretName: ""
## @param authentication.basicAuth.filename Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**
## @param authentication.basicAuth.filename Key within Secret containing the `htpasswd` file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the `bcrypt` hash of the desired password. Such an entry can be generated with ex. `htpasswd -nbB username password` **(Required if basicAuth is enabled)**
filename: ""

## @section OAuth2 Proxy

oauth2Proxy:
image:
## @param oauth2Proxy.image.repository Repository for the OAuth2 Proxy container image
repository: "quay.io/oauth2-proxy/oauth2-proxy"
## @param oauth2Proxy.image.pullPolicy Image pull policy for the OAuth2 Proxy container image
pullPolicy: Always
## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image
tag: "latest"
## @param oauth2proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
securityContext:
## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation
allowPrivilegeEscalation: false
## @skip oauth2Proxy.securityContext.capabilities
capabilities:
drop:
- ALL

## @section Other Parameters

## @param minimal Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source
Expand Down