diff --git a/files/configs/ingress/ingress-authserver-extensionservice.yaml b/files/configs/ingress/ingress-authserver-extensionservice.yaml
new file mode 100644
index 00000000..16f74d02
--- /dev/null
+++ b/files/configs/ingress/ingress-authserver-extensionservice.yaml
@@ -0,0 +1,10 @@
+apiVersion: projectcontour.io/v1alpha1
+kind: ExtensionService
+metadata:
+ name: htpasswd
+ namespace: projectcontour-auth
+spec:
+ protocol: h2
+ services:
+ - name: htpasswd
+ port: 9443
\ No newline at end of file
diff --git a/files/configs/ingress/templates/ingress-authserver-template.yaml b/files/configs/ingress/templates/ingress-authserver-template.yaml
new file mode 100644
index 00000000..d7e57f9e
--- /dev/null
+++ b/files/configs/ingress/templates/ingress-authserver-template.yaml
@@ -0,0 +1,125 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+
+#@ load("@ytt:json", "json")
+
+#@ name = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["name"]
+#@ version = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["version"]
+#@ image = name + ":" + version
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned
+spec:
+ selfSigned: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: htpasswd
+ namespace: projectcontour-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: contour:authserver:htpasswd
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: contour:authserver:htpasswd
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: contour:authserver:htpasswd
+subjects:
+- kind: ServiceAccount
+ name: htpasswd
+ namespace: projectcontour-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: htpasswd
+ name: htpasswd
+ namespace: projectcontour-auth
+spec:
+ ports:
+ - name: auth
+ port: 9443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/name: htpasswd
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: htpasswd
+ name: htpasswd
+ namespace: projectcontour-auth
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: htpasswd
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: htpasswd
+ spec:
+ containers:
+ - args:
+ - htpasswd
+ - --address=:9443
+ - --tls-ca-path=/tls/ca.crt
+ - --tls-cert-path=/tls/tls.crt
+ - --tls-key-path=/tls/tls.key
+ command:
+ - /contour-authserver
+ image: #@ image
+ imagePullPolicy: IfNotPresent
+ name: htpasswd
+ ports:
+ - containerPort: 9443
+ name: auth
+ protocol: TCP
+ resources:
+ limits:
+ cpu: 100m
+ memory: 90Mi
+ volumeMounts:
+ - mountPath: /tls
+ name: tls
+ readOnly: true
+ serviceAccountName: htpasswd
+ volumes:
+ - name: tls
+ secret:
+ secretName: htpasswd
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: htpasswd
+ namespace: projectcontour-auth
+spec:
+ dnsNames:
+ - htpasswd
+ issuerRef:
+ kind: ClusterIssuer
+ name: selfsigned
+ secretName: htpasswd
\ No newline at end of file
diff --git a/files/configs/ingress/templates/ingressroute-gateway-template.yaml b/files/configs/ingress/templates/ingressroute-gateway-template.yaml
index 54357bf2..f6fd75d9 100644
--- a/files/configs/ingress/templates/ingressroute-gateway-template.yaml
+++ b/files/configs/ingress/templates/ingressroute-gateway-template.yaml
@@ -28,6 +28,8 @@ spec:
services:
- name: tinywww
port: 8100
+ authPolicy:
+ disabled: true
- conditions:
- prefix: /bootstrap
pathRewritePolicy:
@@ -36,6 +38,8 @@ spec:
services:
- name: tinywww
port: 8100
+ authPolicy:
+ disabled: true
#@ if webhookEnabled == "True":
- conditions:
- prefix: /stats/webhook
@@ -45,6 +49,8 @@ spec:
services:
- name: vmware-event-router-webhook
port: 8082
+ authPolicy:
+ disabled: true
- conditions:
- prefix: /webhook
pathRewritePolicy:
@@ -53,6 +59,8 @@ spec:
services:
- name: vmware-event-router-webhook
port: 8080
+ authPolicy:
+ disabled: true
#@ end
#@ if vebaUIUsername != "" and vebaUIPassword != "":
- conditions:
@@ -60,12 +68,18 @@ spec:
services:
- name: veba-ui
port: 80
+ authPolicy:
+ disabled: true
#@ end
virtualhost:
fqdn: #@ fqdn
tls:
minimumProtocolVersion: "1.2"
secretName: #@ data.values.secretName
+ authorization:
+ extensionRef:
+ name: htpasswd
+ namespace: projectcontour-auth
includes:
- name: sockeye
namespace: vmware-functions
diff --git a/files/setup-08-tinywww.sh b/files/setup-08-tinywww.sh
index 33707183..e9b9709b 100755
--- a/files/setup-08-tinywww.sh
+++ b/files/setup-08-tinywww.sh
@@ -15,8 +15,8 @@ TINYWWW_CONFIG=/root/config/tinywww/tinywww.yaml
# Basic Auth for TinyWWW endpoints
kubectl -n vmware-system create secret generic basic-auth \
- --from-literal=basic-auth-user=admin \
- --from-literal=basic-auth-password="${ROOT_PASSWORD}"
+ --from-literal=basic-auth-user="${ENDPOINT_USERNAME}" \
+ --from-literal=basic-auth-password="${ENDPOINT_PASSWORD}"
# Apply YTT overlay
ytt --data-value-file bom=${VEBA_BOM_FILE} --data-value-file config=${VEBA_CONFIG_FILE} -f ${TINYWWW_TEMPLATE} > ${TINYWWW_CONFIG}
diff --git a/files/setup-09-ingress.sh b/files/setup-09-ingress.sh
index 9c1f44ca..1999c2f7 100755
--- a/files/setup-09-ingress.sh
+++ b/files/setup-09-ingress.sh
@@ -6,6 +6,29 @@
set -euo pipefail
+# Setup Contour AuthServer
+echo -e "\e[92mConfiguring Contour Ingress AuthServer ..." > /dev/console
+kubectl create namespace projectcontour-auth
+
+# Contour Auth Config files
+INGRESS_AUTHSERVER_TEMPLATE=/root/config/ingress/templates/ingress-authserver-template.yaml
+INGRESS_AUTHSERVER_CONFIG=/root/config/ingress/$(basename ${INGRESS_AUTHSERVER_TEMPLATE} | sed 's/-template//g')
+
+VEBA_BOM_FILE=/root/config/veba-bom.json
+INGRESS_AUTHSERVER_AUTH_FILE=/root/config/auth
+
+# Apply YTT overlay
+ytt --data-value-file bom=${VEBA_BOM_FILE} -f ${INGRESS_AUTHSERVER_TEMPLATE} > ${INGRESS_AUTHSERVER_CONFIG}
+kubectl apply -f ${INGRESS_AUTHSERVER_CONFIG}
+
+# Configure Auth file with admin user
+htpasswd -b -c ${INGRESS_AUTHSERVER_AUTH_FILE} ${ENDPOINT_USERNAME} ${ENDPOINT_PASSWORD}
+kubectl create secret generic -n projectcontour-auth passwords --from-file=${INGRESS_AUTHSERVER_AUTH_FILE}
+kubectl annotate secret -n projectcontour-auth passwords projectcontour.io/auth-type=basic
+
+# Create Extension Service
+kubectl apply -f /root/config/ingress/ingress-authserver-extensionservice.yaml
+
KEY_FILE=/root/config/eventrouter.key
CERT_FILE=/root/config/eventrouter.crt
CERT_NAME=eventrouter-tls
diff --git a/files/setup.sh b/files/setup.sh
index ca5ab45c..9052aa68 100755
--- a/files/setup.sh
+++ b/files/setup.sh
@@ -21,6 +21,8 @@ PROXY_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.proxy_password")
NO_PROXY=$(/root/setup/getOvfProperty.py "guestinfo.no_proxy")
ROOT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.root_password")
ENABLE_SSH=$(/root/setup/getOvfProperty.py "guestinfo.enable_ssh" | tr '[:upper:]' '[:lower:]')
+ENDPOINT_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_username")
+ENDPOINT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_password")
VCENTER_SERVER=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_server")
VCENTER_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_username")
VCENTER_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_password")
@@ -74,6 +76,8 @@ else
ESCAPED_VCENTER_USERNAME=$(eval echo -n '${VCENTER_USERNAME}' | jq -Rs .)
ESCAPED_VCENTER_PASSWORD=$(eval echo -n '${VCENTER_PASSWORD}' | jq -Rs .)
ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .)
+ ESCAPED_ENDPOINT_USERNAME=$(eval echo -n '${ENDPOINT_USERNAME}' | jq -Rs .)
+ ESCAPED_ENDPOINT_PASSWORD=$(eval echo -n '${ENDPOINT_PASSWORD}' | jq -Rs .)
ESCAPED_VCENTER_USERNAME_FOR_VEBA_UI=$(eval echo -n '${VCENTER_USERNAME_FOR_VEBA_UI}' | jq -Rs .)
ESCAPED_VCENTER_PASSWORD_FOR_VEBA_UI=$(eval echo -n '${VCENTER_PASSWORD_FOR_VEBA_UI}' | jq -Rs .)
@@ -81,7 +85,6 @@ else
ESCAPED_HORIZON_SERVER=$(eval echo -n '${HORIZON_SERVER}' | jq -Rs .)
ESCAPED_HORIZON_USERNAME=$(eval echo -n '${HORIZON_USERNAME}' | jq -Rs .)
ESCAPED_HORIZON_PASSWORD=$(eval echo -n '${HORIZON_PASSWORD}' | jq -Rs .)
- ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .)
ESCAPED_WEBHOOK_USERNAME=$(eval echo -n '${WEBHOOK_USERNAME}' | jq -Rs .)
ESCAPED_WEBHOOK_PASSWORD=$(eval echo -n '${WEBHOOK_PASSWORD}' | jq -Rs .)
@@ -106,6 +109,8 @@ else
"NO_PROXY": "${NO_PROXY}",
"ESCAPED_ROOT_PASSWORD": ${ESCAPED_ROOT_PASSWORD},
"ENABLE_SSH": "${ENABLE_SSH}",
+ "ESCAPED_ENDPOINT_USERNAME": ${ESCAPED_ENDPOINT_USERNAME},
+ "ESCAPED_ENDPOINT_PASSWORD": ${ESCAPED_ENDPOINT_PASSWORD},
"ESCAPED_VCENTER_SERVER": ${ESCAPED_VCENTER_SERVER},
"ESCAPED_VCENTER_USERNAME": ${ESCAPED_VCENTER_USERNAME},
"ESCAPED_VCENTER_PASSWORD": ${ESCAPED_VCENTER_PASSWORD},
diff --git a/manual/photon.xml.template b/manual/photon.xml.template
index 7eaa3b9a..e71e5018 100644
--- a/manual/photon.xml.template
+++ b/manual/photon.xml.template
@@ -55,7 +55,7 @@
No Proxy for e.g. your internal domain suffix. Adding the appliance IP address is recommended. Comma separated (localhost, 127.0.0.1, domain.local)
- OS Credentials
+ Credentials
Password to login in as root. Please use a secure password
@@ -64,6 +64,14 @@
Automatically start SSH daemon
+
+
+ Username to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.)
+
+
+
+ Password to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.). Please use a secure password
+
vSphere
diff --git a/scripts/photon-settings.sh b/scripts/photon-settings.sh
index 9754f297..60def6b0 100644
--- a/scripts/photon-settings.sh
+++ b/scripts/photon-settings.sh
@@ -32,7 +32,8 @@ tdnf install -y \
tar \
jq \
parted \
- apparmor-parser
+ apparmor-parser \
+ httpd
echo '> Adding K8s Repo'
curl -L https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg -o /etc/pki/rpm-gpg/GOOGLE-RPM-GPG-KEY
diff --git a/test/deploy_veba_knative_processor.sh b/test/deploy_veba_knative_processor.sh
index 25c16eb8..ef7011be 100755
--- a/test/deploy_veba_knative_processor.sh
+++ b/test/deploy_veba_knative_processor.sh
@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
VEBA_NTP="pool.ntp.org"
VEBA_OS_PASSWORD="VMware1!"
VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
VEBA_NETWORK="VM Network"
VEBA_DATASTORE="sm-vsanDatastore"
VEBA_DEBUG="True"
@@ -71,6 +73,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
--prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
--prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
--prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+ --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+ --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
--prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
--prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
--prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \
diff --git a/test/deploy_veba_knative_processor_veba_ui.sh b/test/deploy_veba_knative_processor_veba_ui.sh
index 9a30124c..fbc6c88a 100755
--- a/test/deploy_veba_knative_processor_veba_ui.sh
+++ b/test/deploy_veba_knative_processor_veba_ui.sh
@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
VEBA_NTP="pool.ntp.org"
VEBA_OS_PASSWORD='VMware1!'
VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
VEBA_NETWORK="VM Network"
VEBA_DATASTORE="sm-vsanDatastore"
VEBA_DEBUG="True"
@@ -73,6 +75,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
--prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
--prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
--prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+ --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+ --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
--prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
--prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
--prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \
diff --git a/test/deploy_veba_knative_processor_veba_ui_webhook.sh b/test/deploy_veba_knative_processor_veba_ui_webhook.sh
index 99945b8b..2cd38395 100755
--- a/test/deploy_veba_knative_processor_veba_ui_webhook.sh
+++ b/test/deploy_veba_knative_processor_veba_ui_webhook.sh
@@ -31,6 +31,8 @@ VEBA_DNS="192.168.30.2"
VEBA_DNS_DOMAIN="primp-industries.local"
VEBA_NTP="pool.ntp.org"
VEBA_OS_PASSWORD='VMware1!'
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
VEBA_ENABLE_SSH="True"
VEBA_NETWORK="VM Network"
VEBA_DATASTORE="sm-vsanDatastore"
@@ -77,6 +79,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
--prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
--prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
--prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+ --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+ --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
--prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
--prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
--prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \
diff --git a/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh b/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh
index b1977ea2..f2176c45 100755
--- a/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh
+++ b/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh
@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
VEBA_NTP="pool.ntp.org"
VEBA_OS_PASSWORD='VMware1!'
VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
VEBA_NETWORK="VM Network"
VEBA_DATASTORE="sm-vsanDatastore"
VEBA_DEBUG="True"
@@ -82,6 +84,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
--prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
--prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
--prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+ --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+ --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
--prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
--prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
--prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \
diff --git a/veba-bom.json b/veba-bom.json
index 17f794f2..78d6edd7 100644
--- a/veba-bom.json
+++ b/veba-bom.json
@@ -254,6 +254,13 @@
}
]
},
+ "contour-authserver": {
+ "gitRepoTag": "v2",
+ "containers": [{
+ "name": "docker.io/projectcontour/contour-authserver",
+ "version": "v2"
+ }]
+ },
"tinywww": {
"gitRepoTag": "master",
"containers": [{