fix: Ensure all VEBA endpoints have common auth

Closes: #1078
Signed-off-by: William Lam <[email protected]>

files/configs/ingress/ingress-authserver-extensionservice.yaml

@@ -0,0 +1,10 @@
+apiVersion: projectcontour.io/v1alpha1
+kind: ExtensionService
+metadata:
+  name: htpasswd
+  namespace: projectcontour-auth
+spec:
+  protocol: h2
+  services:
+  - name: htpasswd
+    port: 9443

files/configs/ingress/templates/ingress-authserver-template.yaml

@@ -0,0 +1,125 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+
+#@ load("@ytt:json", "json")
+
+#@ name = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["name"]
+#@ version = json.decode(data.values.bom)["contour-authserver"]["containers"][0]["version"]
+#@ image = name + ":" + version
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: htpasswd
+  namespace: projectcontour-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: contour:authserver:htpasswd
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: contour:authserver:htpasswd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: contour:authserver:htpasswd
+subjects:
+- kind: ServiceAccount
+  name: htpasswd
+  namespace: projectcontour-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: htpasswd
+  name: htpasswd
+  namespace: projectcontour-auth
+spec:
+  ports:
+  - name: auth
+    port: 9443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app.kubernetes.io/name: htpasswd
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: htpasswd
+  name: htpasswd
+  namespace: projectcontour-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: htpasswd
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: htpasswd
+    spec:
+      containers:
+      - args:
+        - htpasswd
+        - --address=:9443
+        - --tls-ca-path=/tls/ca.crt
+        - --tls-cert-path=/tls/tls.crt
+        - --tls-key-path=/tls/tls.key
+        command:
+        - /contour-authserver
+        image: #@ image
+        imagePullPolicy: IfNotPresent
+        name: htpasswd
+        ports:
+        - containerPort: 9443
+          name: auth
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 100m
+            memory: 90Mi
+        volumeMounts:
+        - mountPath: /tls
+          name: tls
+          readOnly: true
+      serviceAccountName: htpasswd
+      volumes:
+      - name: tls
+        secret:
+          secretName: htpasswd
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: htpasswd
+  namespace: projectcontour-auth
+spec:
+  dnsNames:
+  - htpasswd
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned
+  secretName: htpasswd

files/configs/ingress/templates/ingressroute-gateway-template.yaml

@@ -28,6 +28,8 @@ spec:
     services:
     - name: tinywww
       port: 8100
+    authPolicy:
+      disabled: true
   - conditions:
     - prefix: /bootstrap
     pathRewritePolicy:
@@ -36,6 +38,8 @@ spec:
     services:
     - name: tinywww
       port: 8100
+    authPolicy:
+      disabled: true
   #@ if webhookEnabled == "True":
   - conditions:
     - prefix: /stats/webhook
@@ -45,6 +49,8 @@ spec:
     services:
     - name: vmware-event-router-webhook
       port: 8082
+    authPolicy:
+      disabled: true
   - conditions:
     - prefix: /webhook
     pathRewritePolicy:
@@ -53,19 +59,27 @@ spec:
     services:
     - name: vmware-event-router-webhook
       port: 8080
+    authPolicy:
+      disabled: true
   #@ end
   #@ if vebaUIUsername != "" and vebaUIPassword != "":
   - conditions:
     - prefix: /veba-ui
     services:
     - name: veba-ui
       port: 80
+    authPolicy:
+      disabled: true
   #@ end
   virtualhost:
     fqdn: #@ fqdn
     tls:
       minimumProtocolVersion: "1.2"
       secretName: #@ data.values.secretName
+    authorization:
+      extensionRef:
+        name: htpasswd
+        namespace: projectcontour-auth
   includes:
   - name: sockeye
     namespace: vmware-functions

files/setup-08-tinywww.sh

@@ -15,8 +15,8 @@ TINYWWW_CONFIG=/root/config/tinywww/tinywww.yaml
 
 # Basic Auth for TinyWWW endpoints
 kubectl -n vmware-system create secret generic basic-auth \
-        --from-literal=basic-auth-user=admin \
-        --from-literal=basic-auth-password="${ROOT_PASSWORD}"
+        --from-literal=basic-auth-user="${ENDPOINT_USERNAME}" \
+        --from-literal=basic-auth-password="${ENDPOINT_PASSWORD}"
 
 # Apply YTT overlay
 ytt --data-value-file bom=${VEBA_BOM_FILE} --data-value-file config=${VEBA_CONFIG_FILE} -f ${TINYWWW_TEMPLATE} > ${TINYWWW_CONFIG}

files/setup-09-ingress.sh

@@ -6,6 +6,29 @@
 
 set -euo pipefail
 
+# Setup Contour AuthServer
+echo -e "\e[92mConfiguring Contour Ingress AuthServer ..." > /dev/console
+kubectl create namespace projectcontour-auth
+
+# Contour Auth Config files
+INGRESS_AUTHSERVER_TEMPLATE=/root/config/ingress/templates/ingress-authserver-template.yaml
+INGRESS_AUTHSERVER_CONFIG=/root/config/ingress/$(basename ${INGRESS_AUTHSERVER_TEMPLATE} | sed 's/-template//g')
+
+VEBA_BOM_FILE=/root/config/veba-bom.json
+INGRESS_AUTHSERVER_AUTH_FILE=/root/config/auth
+
+# Apply YTT overlay
+ytt --data-value-file bom=${VEBA_BOM_FILE} -f ${INGRESS_AUTHSERVER_TEMPLATE} > ${INGRESS_AUTHSERVER_CONFIG}
+kubectl apply -f ${INGRESS_AUTHSERVER_CONFIG}
+
+# Configure Auth file with admin user
+htpasswd -b -c ${INGRESS_AUTHSERVER_AUTH_FILE} ${ENDPOINT_USERNAME} ${ENDPOINT_PASSWORD}
+kubectl create secret generic -n projectcontour-auth passwords --from-file=${INGRESS_AUTHSERVER_AUTH_FILE}
+kubectl annotate secret -n projectcontour-auth passwords projectcontour.io/auth-type=basic
+
+# Create Extension Service
+kubectl apply -f /root/config/ingress/ingress-authserver-extensionservice.yaml
+
 KEY_FILE=/root/config/eventrouter.key
 CERT_FILE=/root/config/eventrouter.crt
 CERT_NAME=eventrouter-tls

files/setup.sh

@@ -21,6 +21,8 @@ PROXY_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.proxy_password")
 NO_PROXY=$(/root/setup/getOvfProperty.py "guestinfo.no_proxy")
 ROOT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.root_password")
 ENABLE_SSH=$(/root/setup/getOvfProperty.py "guestinfo.enable_ssh" | tr '[:upper:]' '[:lower:]')
+ENDPOINT_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_username")
+ENDPOINT_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.endpoint_password")
 VCENTER_SERVER=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_server")
 VCENTER_USERNAME=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_username")
 VCENTER_PASSWORD=$(/root/setup/getOvfProperty.py "guestinfo.vcenter_password")
@@ -74,14 +76,15 @@ else
 	ESCAPED_VCENTER_USERNAME=$(eval echo -n '${VCENTER_USERNAME}' | jq -Rs .)
 	ESCAPED_VCENTER_PASSWORD=$(eval echo -n '${VCENTER_PASSWORD}' | jq -Rs .)
 	ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .)
+	ESCAPED_ENDPOINT_USERNAME=$(eval echo -n '${ENDPOINT_USERNAME}' | jq -Rs .)
+	ESCAPED_ENDPOINT_PASSWORD=$(eval echo -n '${ENDPOINT_PASSWORD}' | jq -Rs .)
 
 	ESCAPED_VCENTER_USERNAME_FOR_VEBA_UI=$(eval echo -n '${VCENTER_USERNAME_FOR_VEBA_UI}' | jq -Rs .)
 	ESCAPED_VCENTER_PASSWORD_FOR_VEBA_UI=$(eval echo -n '${VCENTER_PASSWORD_FOR_VEBA_UI}' | jq -Rs .)
 
 	ESCAPED_HORIZON_SERVER=$(eval echo -n '${HORIZON_SERVER}' | jq -Rs .)
 	ESCAPED_HORIZON_USERNAME=$(eval echo -n '${HORIZON_USERNAME}' | jq -Rs .)
 	ESCAPED_HORIZON_PASSWORD=$(eval echo -n '${HORIZON_PASSWORD}' | jq -Rs .)
-	ESCAPED_ROOT_PASSWORD=$(eval echo -n '${ROOT_PASSWORD}' | jq -Rs .)
 
 	ESCAPED_WEBHOOK_USERNAME=$(eval echo -n '${WEBHOOK_USERNAME}' | jq -Rs .)
 	ESCAPED_WEBHOOK_PASSWORD=$(eval echo -n '${WEBHOOK_PASSWORD}' | jq -Rs .)
@@ -106,6 +109,8 @@ else
 	"NO_PROXY": "${NO_PROXY}",
 	"ESCAPED_ROOT_PASSWORD": ${ESCAPED_ROOT_PASSWORD},
 	"ENABLE_SSH": "${ENABLE_SSH}",
+	"ESCAPED_ENDPOINT_USERNAME": ${ESCAPED_ENDPOINT_USERNAME},
+	"ESCAPED_ENDPOINT_PASSWORD": ${ESCAPED_ENDPOINT_PASSWORD},
 	"ESCAPED_VCENTER_SERVER": ${ESCAPED_VCENTER_SERVER},
 	"ESCAPED_VCENTER_USERNAME": ${ESCAPED_VCENTER_USERNAME},
 	"ESCAPED_VCENTER_PASSWORD": ${ESCAPED_VCENTER_PASSWORD},

manual/photon.xml.template

@@ -55,7 +55,7 @@
             <Label>No Proxy</Label>
             <Description>No Proxy for e.g. your internal domain suffix. Adding the appliance IP address is recommended. Comma separated (localhost, 127.0.0.1, domain.local)</Description>
         </Property>
-      <Category>OS Credentials</Category>
+      <Category>Credentials</Category>
         <Property ovf:key="guestinfo.root_password" ovf:password="true" ovf:type="string" ovf:userConfigurable="true" ovf:value="">
             <Label>Root Password</Label>
             <Description>Password to login in as root. Please use a secure password</Description>
@@ -64,6 +64,14 @@
             <Label>Enable SSH</Label>
             <Description>Automatically start SSH daemon</Description>
         </Property>
+        <Property ovf:key="guestinfo.endpoint_username" ovf:type="string" ovf:userConfigurable="true" ovf:value="admin">
+            <Label>Endpoint Username</Label>
+            <Description>Username to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.)</Description>
+        </Property>
+        <Property ovf:key="guestinfo.endpoint_password" ovf:password="true" ovf:type="string" ovf:userConfigurable="true" ovf:value="">
+            <Label>Endpoint Password</Label>
+            <Description>Password to login to VEBA endpoints (e.g. /bootstrap, /events, /top, etc.). Please use a secure password</Description>
+        </Property>
      <Category>vSphere</Category>
         <Property ovf:key="guestinfo.vcenter_server" ovf:type="string" ovf:userConfigurable="true" ovf:value="">
             <Label>vCenter Server</Label>

scripts/photon-settings.sh

@@ -32,7 +32,8 @@ tdnf install -y \
   tar \
   jq \
   parted \
-  apparmor-parser
+  apparmor-parser \
+  httpd
 
 echo '> Adding K8s Repo'
 curl -L https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg -o /etc/pki/rpm-gpg/GOOGLE-RPM-GPG-KEY

test/deploy_veba_knative_processor.sh

@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
 VEBA_NTP="pool.ntp.org"
 VEBA_OS_PASSWORD="VMware1!"
 VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
 VEBA_NETWORK="VM Network"
 VEBA_DATASTORE="sm-vsanDatastore"
 VEBA_DEBUG="True"
@@ -71,6 +73,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
     --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
     --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
     --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+    --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+    --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
     --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
     --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
     --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \

test/deploy_veba_knative_processor_veba_ui.sh

@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
 VEBA_NTP="pool.ntp.org"
 VEBA_OS_PASSWORD='VMware1!'
 VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
 VEBA_NETWORK="VM Network"
 VEBA_DATASTORE="sm-vsanDatastore"
 VEBA_DEBUG="True"
@@ -73,6 +75,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
     --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
     --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
     --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+    --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+    --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
     --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
     --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
     --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \

test/deploy_veba_knative_processor_veba_ui_webhook.sh

@@ -31,6 +31,8 @@ VEBA_DNS="192.168.30.2"
 VEBA_DNS_DOMAIN="primp-industries.local"
 VEBA_NTP="pool.ntp.org"
 VEBA_OS_PASSWORD='VMware1!'
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
 VEBA_ENABLE_SSH="True"
 VEBA_NETWORK="VM Network"
 VEBA_DATASTORE="sm-vsanDatastore"
@@ -77,6 +79,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
     --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
     --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
     --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+    --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+    --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
     --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
     --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
     --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \

test/deploy_veba_knative_processor_veba_ui_webhook_horizon.sh

@@ -32,6 +32,8 @@ VEBA_DNS_DOMAIN="primp-industries.local"
 VEBA_NTP="pool.ntp.org"
 VEBA_OS_PASSWORD='VMware1!'
 VEBA_ENABLE_SSH="True"
+VEBA_ENDPOINT_USERNAME="admin"
+VEBA_ENDPOINT_PASSWORD="VMware1!"
 VEBA_NETWORK="VM Network"
 VEBA_DATASTORE="sm-vsanDatastore"
 VEBA_DEBUG="True"
@@ -82,6 +84,8 @@ VEBA_TANZU_SOURCES_DEBUG="False"
     --prop:guestinfo.no_proxy=${VEBA_NOPROXY} \
     --prop:guestinfo.root_password=${VEBA_OS_PASSWORD} \
     --prop:guestinfo.enable_ssh=${VEBA_ENABLE_SSH} \
+    --prop:guestinfo.endpoint_username=${VEBA_ENDPOINT_USERNAME} \
+    --prop:guestinfo.endpoint_password=${VEBA_ENDPOINT_PASSWORD} \
     --prop:guestinfo.vcenter_server=${VEBA_VCENTER_SERVER} \
     --prop:guestinfo.vcenter_username=${VEBA_VCENTER_USERNAME} \
     --prop:guestinfo.vcenter_password=${VEBA_VCENTER_PASSWORD} \

veba-bom.json

@@ -254,6 +254,13 @@
             }
         ]
     },
+    "contour-authserver": {
+        "gitRepoTag": "v2",
+        "containers": [{
+            "name": "docker.io/projectcontour/contour-authserver",
+            "version": "v2"
+        }]
+    },
     "tinywww": {
         "gitRepoTag": "master",
         "containers": [{