From f3526f4fb4f1cd6ecc9bfb334f2215f8603075dc Mon Sep 17 00:00:00 2001 From: William Lam Date: Sat, 15 Jul 2023 13:16:47 -0700 Subject: [PATCH] fix: Ensure all VEBA endpoints have common auth Closes: #1078 Signed-off-by: William Lam --- .../ingress-authserver-extensionservice.yaml | 10 ++ .../ingress-authserver-template.yaml | 125 ++++++++++++++++++ .../ingressroute-gateway-template.yaml | 14 ++ files/setup-08-tinywww.sh | 4 +- files/setup-09-ingress.sh | 23 ++++ files/setup.sh | 7 +- manual/photon.xml.template | 10 +- scripts/photon-settings.sh | 3 +- test/deploy_veba_knative_processor.sh | 4 + test/deploy_veba_knative_processor_veba_ui.sh | 4 + ..._veba_knative_processor_veba_ui_webhook.sh | 4 + ...ative_processor_veba_ui_webhook_horizon.sh | 4 + veba-bom.json | 7 + 13 files changed, 214 insertions(+), 5 deletions(-) create mode 100644 files/configs/ingress/ingress-authserver-extensionservice.yaml create mode 100644 files/configs/ingress/templates/ingress-authserver-template.yaml diff --git a/files/configs/ingress/ingress-authserver-extensionservice.yaml b/files/configs/ingress/ingress-authserver-extensionservice.yaml new file mode 100644 index 00000000..16f74d02 --- /dev/null +++ b/files/configs/ingress/ingress-authserver-extensionservice.yaml @@ -0,0 +1,10 @@ +apiVersion: projectcontour.io/v1alpha1 +kind: ExtensionService +metadata: + name: htpasswd + namespace: projectcontour-auth +spec: + protocol: h2 + services: + - name: htpasswd + port: 9443 \ No newline at end of file diff --git a/files/configs/ingress/templates/ingress-authserver-template.yaml b/files/configs/ingress/templates/ingress-authserver-template.yaml new file mode 100644 index 00000000..d7e57f9e --- /dev/null +++ b/files/configs/ingress/templates/ingress-authserver-template.yaml @@ -0,0 +1,125 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@ load("@ytt:json", "json") + +#@ name = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["name"] +#@ version = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["version"] +#@ image = name + ":" + version + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: htpasswd + namespace: projectcontour-auth +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: contour:authserver:htpasswd +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: contour:authserver:htpasswd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contour:authserver:htpasswd +subjects: +- kind: ServiceAccount + name: htpasswd + namespace: projectcontour-auth +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: htpasswd + name: htpasswd + namespace: projectcontour-auth +spec: + ports: + - name: auth + port: 9443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/name: htpasswd + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: htpasswd + name: htpasswd + namespace: projectcontour-auth +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: htpasswd + template: + metadata: + labels: + app.kubernetes.io/name: htpasswd + spec: + containers: + - args: + - htpasswd + - --address=:9443 + - --tls-ca-path=/tls/ca.crt + - --tls-cert-path=/tls/tls.crt + - --tls-key-path=/tls/tls.key + command: + - /contour-authserver + image: #@ image + imagePullPolicy: IfNotPresent + name: htpasswd + ports: + - containerPort: 9443 + name: auth + protocol: TCP + resources: + limits: + cpu: 100m + memory: 90Mi + volumeMounts: + - mountPath: /tls + name: tls + readOnly: true + serviceAccountName: htpasswd + volumes: + - name: tls + secret: + secretName: htpasswd +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: htpasswd + namespace: projectcontour-auth +spec: + dnsNames: + - htpasswd + issuerRef: + kind: ClusterIssuer + name: selfsigned + secretName: htpasswd \ No newline at end of file diff --git a/files/configs/ingress/templates/ingressroute-gateway-template.yaml b/files/configs/ingress/templates/ingressroute-gateway-template.yaml index 54357bf2..f6fd75d9 100644 --- a/files/configs/ingress/templates/ingressroute-gateway-template.yaml +++ b/files/configs/ingress/templates/ingressroute-gateway-template.yaml @@ -28,6 +28,8 @@ spec: services: - name: tinywww port: 8100 + authPolicy: + disabled: true - conditions: - prefix: /bootstrap pathRewritePolicy: @@ -36,6 +38,8 @@ spec: services: - name: tinywww port: 8100 + authPolicy: + disabled: true #@ if webhookEnabled == "True": - conditions: - prefix: /stats/webhook @@ -45,6 +49,8 @@ spec: services: - name: vmware-event-router-webhook port: 8082 + authPolicy: + disabled: true - conditions: - prefix: /webhook pathRewritePolicy: @@ -53,6 +59,8 @@ spec: services: - name: vmware-event-router-webhook port: 8080 + authPolicy: + disabled: true #@ end #@ if vebaUIUsername != "" and vebaUIPassword != "": - conditions: @@ -60,12 +68,18 @@ spec: services: - name: veba-ui port: 80 + authPolicy: + disabled: true #@ end virtualhost: fqdn: #@ fqdn tls: minimumProtocolVersion: "1.2" secretName: #@ data.values.secretName + authorization: + extensionRef: + name: htpasswd + namespace: projectcontour-auth includes: - name: sockeye namespace: vmware-functions diff --git a/files/setup-08-tinywww.sh b/files/setup-08-tinywww.sh index 33707183..e9b9709b 100755 --- a/files/setup-08-tinywww.sh +++ b/files/setup-08-tinywww.sh @@ -15,8 +15,8 @@ TINYWWW_CONFIG=/root/config/tinywww/tinywww.yaml # Basic Auth for TinyWWW endpoints kubectl -n vmware-system create secret generic basic-auth \ - --from-literal=basic-auth-user=admin \ - --from-literal=basic-auth-password="${ROOT_PASSWORD}" + --from-literal=basic-auth-user="${ENDPOINT_USERNAME}" \ + --from-literal=basic-auth-password="${ENDPOINT_PASSWORD}" # Apply YTT overlay ytt --data-value-file bom=${VEBA_BOM_FILE} --data-value-file config=${VEBA_CONFIG_FILE} -f ${TINYWWW_TEMPLATE} > ${TINYWWW_CONFIG} diff --git a/files/setup-09-ingress.sh b/files/setup-09-ingress.sh index 9c1f44ca..1999c2f7 100755 --- a/files/setup-09-ingress.sh +++ b/files/setup-09-ingress.sh @@ -6,6 +6,29 @@ set -euo pipefail +# Setup Contour AuthServer +echo -e "\e[92mConfiguring Contour Ingress AuthServer ..." > /dev/console +kubectl create namespace projectcontour-auth + +# Contour Auth Config files +INGRESS_AUTHSERVER_TEMPLATE=/root/config/ingress/templates/ingress-authserver-template.yaml +INGRESS_AUTHSERVER_CONFIG=/root/config/ingress/$(basename ${INGRESS_AUTHSERVER_TEMPLATE} | sed 's/-template//g') + +VEBA_BOM_FILE=/root/config/veba-bom.json +INGRESS_AUTHSERVER_AUTH_FILE=/root/config/auth + +# Apply YTT overlay +ytt --data-value-file bom=${VEBA_BOM_FILE} -f ${INGRESS_AUTHSERVER_TEMPLATE} > ${INGRESS_AUTHSERVER_CONFIG} +kubectl apply -f ${INGRESS_AUTHSERVER_CONFIG} + +# Configure Auth file with admin user +htpasswd -b -c ${INGRESS_AUTHSERVER_AUTH_FILE} ${ENDPOINT_USERNAME} ${ENDPOINT_PASSWORD} +kubectl create secret generic -n projectcontour-auth passwords --from-file=${INGRESS_AUTHSERVER_AUTH_FILE} +kubectl annotate secret -n projectcontour-auth passwords projectcontour.io/auth-type=basic + +# Create Extension Service +kubectl apply -f /root/config/ingress/ingress-authserver-extensionservice.yaml + KEY_FILE=/root/config/eventrouter.key CERT_FILE=/root/config/eventrouter.crt CERT_NAME=eventrouter-tls diff --git a/files/setup.sh b/files/setup.sh index ca5ab45c..9052aa68 100755 --- a/files/setup.sh +++ b/files/setup.sh @@ -21,6 +21,8 @@ PROXY_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.proxy_password") NO_PROXY=$(/root/setup/getOvfProperty.py "guestinfo.no_proxy") ROOT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.root_password") ENABLE_SSH=$(/root/setup/getOvfProperty.py "guestinfo.enable_ssh" | tr '[:upper:]' '[:lower:]') +ENDPOINT_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_username") +ENDPOINT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_password") VCENTER_SERVER=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_server") VCENTER_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_username") VCENTER_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_password") @@ -74,6 +76,8 @@ else ESCAPED_VCENTER_USERNAME=$(eval echo -n '${VCENTER_USERNAME}' | jq -Rs .) ESCAPED_VCENTER_PASSWORD=$(eval echo -n '${VCENTER_PASSWORD}' | jq -Rs .) ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .) + ESCAPED_ENDPOINT_USERNAME=$(eval echo -n '${ENDPOINT_USERNAME}' | jq -Rs .) + ESCAPED_ENDPOINT_PASSWORD=$(eval echo -n '${ENDPOINT_PASSWORD}' | jq -Rs .) ESCAPED_VCENTER_USERNAME_FOR_VEBA_UI=$(eval echo -n '${VCENTER_USERNAME_FOR_VEBA_UI}' | jq -Rs .) ESCAPED_VCENTER_PASSWORD_FOR_VEBA_UI=$(eval echo -n '${VCENTER_PASSWORD_FOR_VEBA_UI}' | jq -Rs .) @@ -81,7 +85,6 @@ else ESCAPED_HORIZON_SERVER=$(eval echo -n '${HORIZON_SERVER}' | jq -Rs .) ESCAPED_HORIZON_USERNAME=$(eval echo -n '${HORIZON_USERNAME}' | jq -Rs .) ESCAPED_HORIZON_PASSWORD=$(eval echo -n '${HORIZON_PASSWORD}' | jq -Rs .) - ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .) ESCAPED_WEBHOOK_USERNAME=$(eval echo -n '${WEBHOOK_USERNAME}' | jq -Rs .) ESCAPED_WEBHOOK_PASSWORD=$(eval echo -n '${WEBHOOK_PASSWORD}' | jq -Rs .) @@ -106,6 +109,8 @@ else "NO_PROXY": "${NO_PROXY}", "ESCAPED_ROOT_PASSWORD": ${ESCAPED_ROOT_PASSWORD}, "ENABLE_SSH": "${ENABLE_SSH}", + "ESCAPED_ENDPOINT_USERNAME": ${ESCAPED_ENDPOINT_USERNAME}, + "ESCAPED_ENDPOINT_PASSWORD": ${ESCAPED_ENDPOINT_PASSWORD}, "ESCAPED_VCENTER_SERVER": ${ESCAPED_VCENTER_SERVER}, "ESCAPED_VCENTER_USERNAME": ${ESCAPED_VCENTER_USERNAME}, "ESCAPED_VCENTER_PASSWORD": ${ESCAPED_VCENTER_PASSWORD}, diff --git a/manual/photon.xml.template b/manual/photon.xml.template index 7eaa3b9a..e71e5018 100644 --- a/manual/photon.xml.template +++ b/manual/photon.xml.template @@ -55,7 +55,7 @@ No Proxy for e.g. your internal domain suffix. Adding the appliance IP address is recommended. Comma separated (localhost, 127.0.0.1, domain.local) - OS Credentials + Credentials Password to login in as root. Please use a secure password @@ -64,6 +64,14 @@ Automatically start SSH daemon + + + Username to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.) + + + + Password to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.). Please use a secure password + vSphere diff --git a/scripts/photon-settings.sh b/scripts/photon-settings.sh index 9754f297..60def6b0 100644 --- a/scripts/photon-settings.sh +++ b/scripts/photon-settings.sh @@ -32,7 +32,8 @@ tdnf install -y \ tar \ jq \ parted \ - apparmor-parser + apparmor-parser \ + httpd echo '> Adding K8s Repo' curl -L https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg -o /etc/pki/rpm-gpg/GOOGLE-RPM-GPG-KEY diff --git a/test/deploy_veba_knative_processor.sh b/test/deploy_veba_knative_processor.sh index 25c16eb8..ef7011be 100755 --- a/test/deploy_veba_knative_processor.sh +++ b/test/deploy_veba_knative_processor.sh @@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local" VEBA_NTP="pool.ntp.org" VEBA_OS_PASSWORD="VMware1!" VEBA_ENABLE_SSH="True" +VEBA_ENDPOINT_USERNAME="admin" +VEBA_ENDPOINT_PASSWORD="VMware1!" VEBA_NETWORK="VM Network" VEBA_DATASTORE="sm-vsanDatastore" VEBA_DEBUG="True" @@ -71,6 +73,8 @@ VEBA_TANZU_SOURCES_DEBUG="False" --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \ --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \ --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \ + --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \ + --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \ --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \ --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \ --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \ diff --git a/test/deploy_veba_knative_processor_veba_ui.sh b/test/deploy_veba_knative_processor_veba_ui.sh index 9a30124c..fbc6c88a 100755 --- a/test/deploy_veba_knative_processor_veba_ui.sh +++ b/test/deploy_veba_knative_processor_veba_ui.sh @@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local" VEBA_NTP="pool.ntp.org" VEBA_OS_PASSWORD='VMware1!' VEBA_ENABLE_SSH="True" +VEBA_ENDPOINT_USERNAME="admin" +VEBA_ENDPOINT_PASSWORD="VMware1!" VEBA_NETWORK="VM Network" VEBA_DATASTORE="sm-vsanDatastore" VEBA_DEBUG="True" @@ -73,6 +75,8 @@ VEBA_TANZU_SOURCES_DEBUG="False" --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \ --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \ --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \ + --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \ + --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \ --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \ --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \ --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \ diff --git a/test/deploy_veba_knative_processor_veba_ui_webhook.sh b/test/deploy_veba_knative_processor_veba_ui_webhook.sh index 99945b8b..2cd38395 100755 --- a/test/deploy_veba_knative_processor_veba_ui_webhook.sh +++ b/test/deploy_veba_knative_processor_veba_ui_webhook.sh @@ -31,6 +31,8 @@ VEBA_DNS="192.168.30.2" VEBA_DNS_DOMAIN="primp-industries.local" VEBA_NTP="pool.ntp.org" VEBA_OS_PASSWORD='VMware1!' +VEBA_ENDPOINT_USERNAME="admin" +VEBA_ENDPOINT_PASSWORD="VMware1!" VEBA_ENABLE_SSH="True" VEBA_NETWORK="VM Network" VEBA_DATASTORE="sm-vsanDatastore" @@ -77,6 +79,8 @@ VEBA_TANZU_SOURCES_DEBUG="False" --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \ --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \ --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \ + --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \ + --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \ --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \ --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \ --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \ diff --git a/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh b/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh index b1977ea2..f2176c45 100755 --- a/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh +++ b/test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh @@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local" VEBA_NTP="pool.ntp.org" VEBA_OS_PASSWORD='VMware1!' VEBA_ENABLE_SSH="True" +VEBA_ENDPOINT_USERNAME="admin" +VEBA_ENDPOINT_PASSWORD="VMware1!" VEBA_NETWORK="VM Network" VEBA_DATASTORE="sm-vsanDatastore" VEBA_DEBUG="True" @@ -82,6 +84,8 @@ VEBA_TANZU_SOURCES_DEBUG="False" --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \ --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \ --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \ + --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \ + --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \ --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \ --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \ --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \ diff --git a/veba-bom.json b/veba-bom.json index 17f794f2..78d6edd7 100644 --- a/veba-bom.json +++ b/veba-bom.json @@ -254,6 +254,13 @@ } ] }, + "contour-authserver": { + "gitRepoTag": "v2", + "containers": [{ + "name": "docker.io/projectcontour/contour-authserver", + "version": "v2" + }] + }, "tinywww": { "gitRepoTag": "master", "containers": [{