From a15acd67ca97831354c816c76ac5a55682b1da2e Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 29 Oct 2024 14:40:52 -0400 Subject: [PATCH 01/15] reports log level config --- charts/cryostat/templates/reports_deployment.yaml | 2 ++ charts/cryostat/values.yaml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 81507d0..d6ba140 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -42,6 +42,8 @@ spec: env: - name: QUARKUS_HTTP_PORT value: "{{ .Values.reports.service.httpPort }}" + - name: QUARKUS_LOG_LEVEL + value: {{ .Values.reports.debug.log.level }} ports: - containerPort: {{ .Values.reports.service.httpPort }} protocol: TCP diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 4b35637..15b239a 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -101,6 +101,10 @@ reports: type: ClusterIP ## @param reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment httpPort: 10001 + debug: + log: + ## @param reports.debug.log.level Log level for troubleshooting and debugging + level: INFO ## @param reports.replicas Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. replicas: 0 resources: From bc28eb181d0bf7dde191d123b889905bdb2464db Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 30 Oct 2024 09:47:56 -0400 Subject: [PATCH 02/15] generate basic auth credentials for reports proxy --- charts/cryostat/templates/_helpers.tpl | 18 ++++++++ .../templates/_reports_oauth2Proxy.tpl | 41 +++++++++++++++++++ .../templates/cryostat_deployment.yaml | 8 +++- .../templates/reports_alpha_config.yaml | 27 ++++++++++++ .../templates/reports_deployment.yaml | 21 ++++++++++ charts/cryostat/templates/reports_secret.yaml | 13 ++++++ .../cryostat/templates/reports_service.yaml | 1 + charts/cryostat/values.yaml | 2 + 8 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 charts/cryostat/templates/_reports_oauth2Proxy.tpl create mode 100644 charts/cryostat/templates/reports_alpha_config.yaml create mode 100644 charts/cryostat/templates/reports_secret.yaml diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index c68af86..89398e7 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -115,6 +115,24 @@ Get or generate a default secret key for object storage. {{- end -}} {{- end -}} +{{/* +Get or generate a default secret password key for report generators. +*/}} +{{- define "cryostat.reportsPassSecretKey" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-reports-secret" .Release.Name)) -}} +{{- if $secret -}} +{{/* + Use current secret. Do not regenerate. +*/}} +{{- $secret.data.REPORTS_PASS -}} +{{- else -}} +{{/* + Generate new secret +*/}} +{{- (randAlphaNum 32) -}} +{{- end -}} +{{- end -}} + {{/* Get or generate a default secret key for auth proxy cookies. */}} diff --git a/charts/cryostat/templates/_reports_oauth2Proxy.tpl b/charts/cryostat/templates/_reports_oauth2Proxy.tpl new file mode 100644 index 0000000..1699b7c --- /dev/null +++ b/charts/cryostat/templates/_reports_oauth2Proxy.tpl @@ -0,0 +1,41 @@ +{{/* +Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml +*/}} +{{- define "cryostat.reportsOauth2Proxy" -}} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + args: + - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health(/liveness)?$" + ports: + - containerPort: 4180 + name: http + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: reports-alpha-config + mountPath: /etc/oauth2_proxy/alpha_config + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true +{{- end}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index e9a9fd6..301e601 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -63,8 +63,14 @@ spec: - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file {{- if gt (int (.Values.reports).replicas) 0 }} + - name: REPORTS_PASS_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} + key: REPORTS_PASS + optional: false - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + value: {{ printf "http://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_alpha_config.yaml b/charts/cryostat/templates/reports_alpha_config.yaml new file mode 100644 index 0000000..4950ab8 --- /dev/null +++ b/charts/cryostat/templates/reports_alpha_config.yaml @@ -0,0 +1,27 @@ +{{/* + Alpha Configuration is not used with OpenShift OAuth Proxy +*/}} +{{- if not (.Values.authentication.openshift).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-reports-alpha-config + labels: + {{- include "cryostat.labels" . | nindent 4 }} +data: + alpha_config.yaml: |- + server: + BindAddress: http://0.0.0.0:4180 + upstreamConfig: + proxyRawPath: true + upstreams: + - id: reports + path: / + uri: http://localhost:10001 + providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google +{{- end }} diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index d6ba140..ba26683 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -34,6 +34,11 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: + {{- if (.Values.authentication.openshift).enabled }} + {{- include "cryostat.reportsOpenshiftOauthProxy" . | nindent 8 }} + {{- else }} + {{- include "cryostat.reportsOauth2Proxy" . | nindent 8 }} + {{- end }} - name: {{ printf "%s-%s" .Chart.Name "reports" }} securityContext: {{- toYaml (.Values.reports).securityContext | nindent 12 }} @@ -44,6 +49,12 @@ spec: value: "{{ .Values.reports.service.httpPort }}" - name: QUARKUS_LOG_LEVEL value: {{ .Values.reports.debug.log.level }} + - name: PASS_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} + key: REPORTS_PASS + optional: false ports: - containerPort: {{ .Values.reports.service.httpPort }} protocol: TCP @@ -73,4 +84,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + {{- if not (.Values.authentication.openshift).enabled }} + - name: reports-alpha-config + configMap: + name: {{ .Release.Name }}-reports-alpha-config + {{- end }} + - name: {{ .Release.Name }}-reports-secret + secret: + defaultMode: 0440 + secretName: {{ .Release.Name }}-reports-secret {{- end -}} diff --git a/charts/cryostat/templates/reports_secret.yaml b/charts/cryostat/templates/reports_secret.yaml new file mode 100644 index 0000000..988de13 --- /dev/null +++ b/charts/cryostat/templates/reports_secret.yaml @@ -0,0 +1,13 @@ +{{- if empty .Values.reports.reportsSecretName -}} +{{- $secretKey := include "cryostat.reportsPassSecretKey" . -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-reports-secret + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +data: + REPORTS_PASS: {{ $secretKey | b64enc }} + htpasswd: {{ htpasswd "cryostat" $secretKey | b64enc }} +{{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 4235827..edfbcbc 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -12,6 +12,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} + targetPort: 4180 selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 15b239a..bb5a91f 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -101,6 +101,8 @@ reports: type: ClusterIP ## @param reports.service.httpPort Port number to expose on the Service for the Report Generator Deployment httpPort: 10001 + ## @param reports.reportsSecretName Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + reportsSecretName: "" debug: log: ## @param reports.debug.log.level Log level for troubleshooting and debugging From 1375620c956ea9ff99cc9b7311e3b3cc8de8dd50 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 30 Oct 2024 14:59:33 -0400 Subject: [PATCH 03/15] pass an oauth token through cryostat down to reports proxy --- charts/cryostat/README.md | 27 +++++----- charts/cryostat/templates/_helpers.tpl | 2 +- .../templates/_openshiftOauthProxy.tpl | 8 +-- .../_reports_openshiftOauthProxy.tpl | 49 +++++++++++++++++++ .../templates/cryostat_deployment.yaml | 5 ++ .../templates/reports_deployment.yaml | 5 ++ charts/cryostat/values.schema.json | 35 +++++++++++++ charts/cryostat/values.yaml | 4 ++ 8 files changed, 119 insertions(+), 16 deletions(-) create mode 100644 charts/cryostat/templates/_reports_openshiftOauthProxy.tpl diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 25768c1..7f7e756 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -87,18 +87,20 @@ helm install cryostat ./charts/cryostat ### Report Generator Deployment -| Name | Description | Value | -| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `reports` | Configuration for the Reports Generator deployment | | -| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | -| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | -| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | -| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | -| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | -| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | -| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | -| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | -| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `reports` | Configuration for the Reports Generator deployment | | +| `reports.image.repository` | Repository for the Report Generator container image | `quay.io/cryostat/cryostat-reports` | +| `reports.image.pullPolicy` | Image pull policy for the Report Generator container image | `Always` | +| `reports.image.tag` | Tag for the Report Generator image | `4.0.0-snapshot` | +| `reports.service.type` | Type of Service to create for the Report Generator Deployment | `ClusterIP` | +| `reports.service.httpPort` | Port number to expose on the Service for the Report Generator Deployment | `10001` | +| `reports.reportsSecretName` | Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `reports.debug.log.level` | Log level for troubleshooting and debugging | `INFO` | +| `reports.replicas` | Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | `0` | +| `reports.resources.requests.cpu` | CPU resource request for each Pod in the Report Generator Deployment. | `500m` | +| `reports.resources.requests.memory` | Memory resource request for each Pod in the Report Generator Deployment. | `512Mi` | +| `reports.securityContext` | Security Context for the Report Generator containers. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Database Container @@ -185,6 +187,7 @@ helm install cryostat ./charts/cryostat | `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | | `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | | `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | +| `openshiftOauthProxy.debug.log.enabled` | Log requests to stdout | `true` | | `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container. | `25m` | | `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container. | `64Mi` | | `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 89398e7..814ba2e 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -147,7 +147,7 @@ Get or generate a default secret key for auth proxy cookies. {{/* Generate new secret */}} -{{- (randAlphaNum 32) | b64enc | quote -}} +{{- (randAlphaNum 32) | b64enc -}} {{- end -}} {{- end -}} diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 576d1d9..e16d025 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -15,12 +15,14 @@ Create OpenShift OAuth Proxy container. optional: false args: - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }} - - --pass-access-token=false - - --pass-user-bearer-token=false + # FIXME the access token that gets passed through to Cryostat and down to the reports proxy is a user token that has insufficient permissions to pass the second proxy's RBAC check + - --pass-access-token=true + - --pass-user-bearer-token=true - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - - --cookie-secret="$(COOKIE_SECRET)" + - --cookie-secret=$(COOKIE_SECRET) + - --request-logging={{ .Values.openshiftOauthProxy.debug.log.enabled }} - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl new file mode 100644 index 0000000..d16177e --- /dev/null +++ b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl @@ -0,0 +1,49 @@ +{{/* +Create OpenShift OAuth Proxy container. +*/}} +{{- define "cryostat.reportsOpenshiftOauthProxy" -}} +- name: {{ printf "%s-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} + image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" + env: + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + args: + - --pass-access-token=false + - --pass-user-bearer-token=false + - --pass-basic-auth=false + - --upstream=http://localhost:10001/ + - --cookie-secret=$(COOKIE_SECRET) + - --request-logging={{ .Values.openshiftOauthProxy.debug.log.enabled }} + - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} + - --proxy-websockets=true + - --http-address=0.0.0.0:4180 + - --https-address=:8443 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --proxy-prefix=/oauth2 + {{- if .Values.openshiftOauthProxy.accessReview.enabled }} + - --openshift-delegate-urls={"/":{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}} + {{- end }} + - --bypass-auth-for=^/health(/liveness)?$ + imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} + ports: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.openshiftOauthProxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-proxy-tls + mountPath: /etc/tls/private + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File +{{- end}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 301e601..a035901 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -63,6 +63,7 @@ spec: - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file {{- if gt (int (.Values.reports).replicas) 0 }} + {{- if .Values.authentication.basicAuth.enabled }} - name: REPORTS_PASS_SECRET_KEY valueFrom: secretKeyRef: @@ -71,6 +72,10 @@ spec: optional: false - name: QUARKUS_REST_CLIENT_REPORTS_URL value: {{ printf "http://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + {{- else }} + - name: QUARKUS_REST_CLIENT_REPORTS_URL + value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + {{- end }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index ba26683..c571220 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -94,4 +94,9 @@ spec: secret: defaultMode: 0440 secretName: {{ .Release.Name }}-reports-secret + {{- if (.Values.authentication.openshift).enabled }} + - name: {{ .Release.Name }}-proxy-tls + secret: + secretName: {{ .Release.Name }}-proxy-tls + {{- end }} {{- end -}} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 0521c88..675dee2 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -299,6 +299,11 @@ } } }, + "reportsSecretName": { + "type": "string", + "description": "Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "securityContext": { "type": "object", "properties": { @@ -324,6 +329,21 @@ } } }, + "debug": { + "type": "object", + "properties": { + "log": { + "type": "object", + "properties": { + "level": { + "type": "string", + "description": "Log level for troubleshooting and debugging", + "default": "INFO" + } + } + } + } + }, "replicas": { "type": "number", "description": "Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own.", @@ -859,6 +879,21 @@ } } }, + "debug": { + "type": "object", + "properties": { + "log": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Log requests to stdout", + "default": true + } + } + } + } + }, "resources": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index bb5a91f..a44262b 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -298,6 +298,10 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "cryostat-v3.0" + debug: + log: + ## @param openshiftOauthProxy.debug.log.enabled Log requests to stdout + enabled: true resources: requests: ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. From d51d848ad54c5b225b898e1a3a8e601e5607884c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 30 Oct 2024 15:01:18 -0400 Subject: [PATCH 04/15] add FIXME note --- charts/cryostat/templates/_openshiftOauthProxy.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index e16d025..9160cd8 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -21,6 +21,7 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ + # FIXME websocket proxying is broken? - --cookie-secret=$(COOKIE_SECRET) - --request-logging={{ .Values.openshiftOauthProxy.debug.log.enabled }} - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} From 90d47ce78c7c46e32c64e8f53e211753c3fe7e64 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 30 Oct 2024 15:30:11 -0400 Subject: [PATCH 05/15] request logging breaks websocket proxying --- charts/cryostat/README.md | 1 - .../cryostat/templates/_openshiftOauthProxy.tpl | 2 -- .../templates/_reports_openshiftOauthProxy.tpl | 2 +- charts/cryostat/values.schema.json | 15 --------------- charts/cryostat/values.yaml | 4 ---- 5 files changed, 1 insertion(+), 23 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 7f7e756..45f45eb 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -187,7 +187,6 @@ helm install cryostat ./charts/cryostat | `openshiftOauthProxy.image.repository` | Repository for the OpenShift OAuth Proxy container image | `quay.io/cryostat/openshift-oauth-proxy` | | `openshiftOauthProxy.image.pullPolicy` | Image pull policy for the OpenShift OAuth Proxy container image | `Always` | | `openshiftOauthProxy.image.tag` | Tag for the OpenShift OAuth Proxy container image | `cryostat-v3.0` | -| `openshiftOauthProxy.debug.log.enabled` | Log requests to stdout | `true` | | `openshiftOauthProxy.resources.requests.cpu` | CPU resource request for the OpenShift OAuth Proxy container. | `25m` | | `openshiftOauthProxy.resources.requests.memory` | Memory resource request for the OpenShift OAuth Proxy container. | `64Mi` | | `openshiftOauthProxy.accessReview.enabled` | Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | `true` | diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 9160cd8..3bf7320 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -21,9 +21,7 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - # FIXME websocket proxying is broken? - --cookie-secret=$(COOKIE_SECRET) - - --request-logging={{ .Values.openshiftOauthProxy.debug.log.enabled }} - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl index d16177e..736ac5a 100644 --- a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl @@ -19,7 +19,7 @@ Create OpenShift OAuth Proxy container. - --pass-basic-auth=false - --upstream=http://localhost:10001/ - --cookie-secret=$(COOKIE_SECRET) - - --request-logging={{ .Values.openshiftOauthProxy.debug.log.enabled }} + - --request-logging=true - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 675dee2..88c3baf 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -879,21 +879,6 @@ } } }, - "debug": { - "type": "object", - "properties": { - "log": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Log requests to stdout", - "default": true - } - } - } - } - }, "resources": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index a44262b..bb5a91f 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -298,10 +298,6 @@ openshiftOauthProxy: pullPolicy: Always ## @param openshiftOauthProxy.image.tag Tag for the OpenShift OAuth Proxy container image tag: "cryostat-v3.0" - debug: - log: - ## @param openshiftOauthProxy.debug.log.enabled Log requests to stdout - enabled: true resources: requests: ## @param openshiftOauthProxy.resources.requests.cpu CPU resource request for the OpenShift OAuth Proxy container. From 61afd17cca76b1532887b1bb331f12bcc909db09 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 11:01:00 -0400 Subject: [PATCH 06/15] openshift-oauth-proxy for reports uses basic auth --- charts/cryostat/templates/_openshiftOauthProxy.tpl | 5 ++--- charts/cryostat/templates/_reports_openshiftOauthProxy.tpl | 7 ++++--- charts/cryostat/templates/cryostat_deployment.yaml | 5 ----- charts/cryostat/templates/reports_service.yaml | 1 + 4 files changed, 7 insertions(+), 11 deletions(-) diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 3bf7320..a4d703d 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -15,9 +15,8 @@ Create OpenShift OAuth Proxy container. optional: false args: - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }} - # FIXME the access token that gets passed through to Cryostat and down to the reports proxy is a user token that has insufficient permissions to pass the second proxy's RBAC check - - --pass-access-token=true - - --pass-user-bearer-token=true + - --pass-access-token=false + - --pass-user-bearer-token=false - --pass-basic-auth=false - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ diff --git a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl index 736ac5a..4546c01 100644 --- a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl @@ -17,6 +17,7 @@ Create OpenShift OAuth Proxy container. - --pass-access-token=false - --pass-user-bearer-token=false - --pass-basic-auth=false + - --htpasswd-file=/etc/oauth2_proxy/basicauth/htpasswd - --upstream=http://localhost:10001/ - --cookie-secret=$(COOKIE_SECRET) - --request-logging=true @@ -27,9 +28,6 @@ Create OpenShift OAuth Proxy container. - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --proxy-prefix=/oauth2 - {{- if .Values.openshiftOauthProxy.accessReview.enabled }} - - --openshift-delegate-urls={"/":{{ tpl ( omit .Values.openshiftOauthProxy.accessReview "enabled" | toJson ) . }}} - {{- end }} - --bypass-auth-for=^/health(/liveness)?$ imagePullPolicy: {{ .Values.openshiftOauthProxy.image.pullPolicy }} ports: @@ -44,6 +42,9 @@ Create OpenShift OAuth Proxy container. volumeMounts: - name: {{ .Release.Name }}-proxy-tls mountPath: /etc/tls/private + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File {{- end}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index a035901..301e601 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -63,7 +63,6 @@ spec: - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT value: no-file {{- if gt (int (.Values.reports).replicas) 0 }} - {{- if .Values.authentication.basicAuth.enabled }} - name: REPORTS_PASS_SECRET_KEY valueFrom: secretKeyRef: @@ -72,10 +71,6 @@ spec: optional: false - name: QUARKUS_REST_CLIENT_REPORTS_URL value: {{ printf "http://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} - {{- else }} - - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "http://%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} - {{- end }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index edfbcbc..2865793 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -12,6 +12,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} + # TODO this should be https/8443 targetPort: 4180 selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} From 4c5bd8e8217abe12f533387565881ce410b4add3 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 11:21:44 -0400 Subject: [PATCH 07/15] use openshift-oauth-proxy TLS, with trust-all --- charts/cryostat/templates/cryostat_deployment.yaml | 7 ++++++- charts/cryostat/templates/reports_service.yaml | 3 +-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 301e601..cb0fbca 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -69,8 +69,13 @@ spec: name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} key: REPORTS_PASS optional: false + # TODO TLS trust + - name: QUARKUS_TLS_TRUST_ALL + value: "true" + - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST + value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "http://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports:%d" $fullName (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 2865793..aad32e5 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -12,8 +12,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} - # TODO this should be https/8443 - targetPort: 4180 + targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports From 01e3ac7a9f073268296fec72568478dac0a3986a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 11:39:41 -0400 Subject: [PATCH 08/15] update test --- .../cryostat/tests/cryostat_deployment_test.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 6439606..1a5da82 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -196,7 +196,19 @@ tests: asserts: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value - value: http://RELEASE-NAME-cryostat-reports:10001 + value: http://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 + + - it: should set environment variable if sidecar report generator is enabled in OpenShift with HTTPS + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_REST_CLIENT_REPORTS_URL')].value + value: https://cryostat:$(REPORTS_PASS_SECRET_KEY)@RELEASE-NAME-cryostat-reports.NAMESPACE.svc:10001 - it: should set oauth2proxy resource overrides set: From 7164ff4328d616561d517dff1e959bff3e623c57 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 11:53:54 -0400 Subject: [PATCH 09/15] inline proxies into single helper template --- ...tOauthProxy.tpl => _reports_authproxy.tpl} | 44 +++++++++++++++++-- .../templates/_reports_oauth2Proxy.tpl | 41 ----------------- .../templates/reports_deployment.yaml | 6 +-- 3 files changed, 41 insertions(+), 50 deletions(-) rename charts/cryostat/templates/{_reports_openshiftOauthProxy.tpl => _reports_authproxy.tpl} (52%) delete mode 100644 charts/cryostat/templates/_reports_oauth2Proxy.tpl diff --git a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl similarity index 52% rename from charts/cryostat/templates/_reports_openshiftOauthProxy.tpl rename to charts/cryostat/templates/_reports_authproxy.tpl index 4546c01..1332cbe 100644 --- a/charts/cryostat/templates/_reports_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -1,7 +1,5 @@ -{{/* -Create OpenShift OAuth Proxy container. -*/}} -{{- define "cryostat.reportsOpenshiftOauthProxy" -}} +{{- define "cryostat.reportsAuthProxy" -}} +{{- if (.Values.authentication.openshift).enabled }} - name: {{ printf "%s-%s" .Chart.Name "authproxy" }} securityContext: {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} @@ -47,4 +45,42 @@ Create OpenShift OAuth Proxy container. readOnly: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File +{{- else }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + args: + - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health(/liveness)?$" + ports: + - containerPort: 4180 + name: http + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: reports-alpha-config + mountPath: /etc/oauth2_proxy/alpha_config + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true +{{- end }} {{- end}} diff --git a/charts/cryostat/templates/_reports_oauth2Proxy.tpl b/charts/cryostat/templates/_reports_oauth2Proxy.tpl deleted file mode 100644 index 1699b7c..0000000 --- a/charts/cryostat/templates/_reports_oauth2Proxy.tpl +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml -*/}} -{{- define "cryostat.reportsOauth2Proxy" -}} -- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} - securityContext: - {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} - image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" - args: - - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" - imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} - env: - - name: OAUTH2_PROXY_REDIRECT_URL - value: "http://localhost:4180/oauth2/callback" - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} - key: COOKIE_SECRET - optional: false - - name: OAUTH2_PROXY_EMAIL_DOMAINS - value: "*" - - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP - value: write - - name: OAUTH2_PROXY_HTPASSWD_FILE - value: /etc/oauth2_proxy/basicauth/htpasswd - - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES - value: "^/health(/liveness)?$" - ports: - - containerPort: 4180 - name: http - protocol: TCP - resources: - {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} - volumeMounts: - - name: reports-alpha-config - mountPath: /etc/oauth2_proxy/alpha_config - - name: {{ .Release.Name }}-reports-secret - mountPath: /etc/oauth2_proxy/basicauth - readOnly: true -{{- end}} diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index c571220..51c822a 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -34,11 +34,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - {{- if (.Values.authentication.openshift).enabled }} - {{- include "cryostat.reportsOpenshiftOauthProxy" . | nindent 8 }} - {{- else }} - {{- include "cryostat.reportsOauth2Proxy" . | nindent 8 }} - {{- end }} + {{- include "cryostat.reportsAuthProxy" . | nindent 8 }} - name: {{ printf "%s-%s" .Chart.Name "reports" }} securityContext: {{- toYaml (.Values.reports).securityContext | nindent 12 }} From 3739b9aad365dc7311eddea5cac9b105855e21d3 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 12:04:34 -0400 Subject: [PATCH 10/15] remove unnecessary alpha config for simple case without path encoding bug --- .../cryostat/templates/_reports_authproxy.tpl | 14 +++++++--- .../templates/reports_alpha_config.yaml | 27 ------------------- .../templates/reports_deployment.yaml | 5 ---- 3 files changed, 10 insertions(+), 36 deletions(-) delete mode 100644 charts/cryostat/templates/reports_alpha_config.yaml diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl index 1332cbe..7746df3 100644 --- a/charts/cryostat/templates/_reports_authproxy.tpl +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -50,10 +50,16 @@ securityContext: {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" - args: - - "--alpha-config=/etc/oauth2_proxy/alpha_config/alpha_config.yaml" imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} env: + - name: OAUTH2_PROXY_CLIENT_ID + value: dummy + - name: OAUTH2_PROXY_CLIENT_SECRET + value: none + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:10001/ - name: OAUTH2_PROXY_REDIRECT_URL value: "http://localhost:4180/oauth2/callback" - name: OAUTH2_PROXY_COOKIE_SECRET @@ -70,6 +76,8 @@ value: /etc/oauth2_proxy/basicauth/htpasswd - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES value: "^/health(/liveness)?$" + - name: OAUTH2_PROXY_PROXY_WEBSOCKETS + value: "false" ports: - containerPort: 4180 name: http @@ -77,8 +85,6 @@ resources: {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} volumeMounts: - - name: reports-alpha-config - mountPath: /etc/oauth2_proxy/alpha_config - name: {{ .Release.Name }}-reports-secret mountPath: /etc/oauth2_proxy/basicauth readOnly: true diff --git a/charts/cryostat/templates/reports_alpha_config.yaml b/charts/cryostat/templates/reports_alpha_config.yaml deleted file mode 100644 index 4950ab8..0000000 --- a/charts/cryostat/templates/reports_alpha_config.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{/* - Alpha Configuration is not used with OpenShift OAuth Proxy -*/}} -{{- if not (.Values.authentication.openshift).enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-reports-alpha-config - labels: - {{- include "cryostat.labels" . | nindent 4 }} -data: - alpha_config.yaml: |- - server: - BindAddress: http://0.0.0.0:4180 - upstreamConfig: - proxyRawPath: true - upstreams: - - id: reports - path: / - uri: http://localhost:10001 - providers: - - id: dummy - name: Unused - Sign In Below - clientId: CLIENT_ID - clientSecret: CLIENT_SECRET - provider: google -{{- end }} diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 51c822a..6d296a4 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -81,11 +81,6 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if not (.Values.authentication.openshift).enabled }} - - name: reports-alpha-config - configMap: - name: {{ .Release.Name }}-reports-alpha-config - {{- end }} - name: {{ .Release.Name }}-reports-secret secret: defaultMode: 0440 From f0d4ef315eb31e188fb634c01ca68a09686e727c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 12:06:03 -0400 Subject: [PATCH 11/15] remove unused env var referencing secret --- charts/cryostat/templates/reports_deployment.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 6d296a4..05c846d 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -45,12 +45,6 @@ spec: value: "{{ .Values.reports.service.httpPort }}" - name: QUARKUS_LOG_LEVEL value: {{ .Values.reports.debug.log.level }} - - name: PASS_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ default (printf "%s-reports-secret" .Release.Name) .Values.reports.reportsSecretName }} - key: REPORTS_PASS - optional: false ports: - containerPort: {{ .Values.reports.service.httpPort }} protocol: TCP From 38ba7351c5334a74cf96c22468b19df9775620ae Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 12:08:50 -0400 Subject: [PATCH 12/15] correct container name --- charts/cryostat/templates/_reports_authproxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl index 7746df3..0040288 100644 --- a/charts/cryostat/templates/_reports_authproxy.tpl +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -1,6 +1,6 @@ {{- define "cryostat.reportsAuthProxy" -}} {{- if (.Values.authentication.openshift).enabled }} -- name: {{ printf "%s-%s" .Chart.Name "authproxy" }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} securityContext: {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" From d447f068e5221a9b2f98ebfa0c75fa16fe1ec215 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 12:14:35 -0400 Subject: [PATCH 13/15] cleanup --- charts/cryostat/templates/reports_service.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index aad32e5..5ebb9be 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -1,6 +1,5 @@ -{{- $fullName := include "cryostat.fullname" . -}} ---- {{- if gt (int (.Values.reports).replicas) 0 -}} +{{- $fullName := include "cryostat.fullname" . -}} apiVersion: v1 kind: Service metadata: From f31658ae29c20b4711977a974a918763e00ec25a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 31 Oct 2024 12:18:56 -0400 Subject: [PATCH 14/15] tests --- .../tests/reports_deployment_test.yaml | 34 +++++++++ .../cryostat/tests/reports_secret_test.yaml | 39 ++++++++++ .../cryostat/tests/reports_service_test.yaml | 76 +++++++++++++++++++ 3 files changed, 149 insertions(+) create mode 100644 charts/cryostat/tests/reports_secret_test.yaml create mode 100644 charts/cryostat/tests/reports_service_test.yaml diff --git a/charts/cryostat/tests/reports_deployment_test.yaml b/charts/cryostat/tests/reports_deployment_test.yaml index d504264..6009512 100644 --- a/charts/cryostat/tests/reports_deployment_test.yaml +++ b/charts/cryostat/tests/reports_deployment_test.yaml @@ -61,6 +61,17 @@ tests: reports: replicas: 1 asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/oauth2-proxy/oauth2-proxy:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP - exists: path: spec.template.spec.containers[?(@.name=='cryostat-reports')] - equal: @@ -70,6 +81,29 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-reports')].env[?(@.name=='QUARKUS_HTTP_PORT')].value value: "10001" + - it: should validate authproxy settings when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].image + value: "quay.io/cryostat/openshift-oauth-proxy:cryostat-v3.0" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-reports-authproxy')].ports + value: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + - it: should apply Kubernetes specific settings when configured set: reports: diff --git a/charts/cryostat/tests/reports_secret_test.yaml b/charts/cryostat/tests/reports_secret_test.yaml new file mode 100644 index 0000000..df41781 --- /dev/null +++ b/charts/cryostat/tests/reports_secret_test.yaml @@ -0,0 +1,39 @@ +suite: test reports_secret.yaml +templates: + - reports_secret.yaml + +tests: + - it: should create a reports secret if core.reportsSecretName is not set + set: + core.reportsSecretName: "" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-reports-secret + - equal: + path: type + value: Opaque + - exists: + path: data.htpasswd + - exists: + path: data.REPORTS_PASS + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a database secret if reports.reportsSecretName is set + set: + reports.reportsSecretName: "custom-reports-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/reports_service_test.yaml b/charts/cryostat/tests/reports_service_test.yaml new file mode 100644 index 0000000..4ba1dc4 --- /dev/null +++ b/charts/cryostat/tests/reports_service_test.yaml @@ -0,0 +1,76 @@ +suite: test reports_service.yaml +templates: + - reports_service.yaml + +tests: + - it: should do nothing if report generators are not desired + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service targeting the Pod http port + set: + reports: + replicas: 1 + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: http + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports + + - it: should create a Service targeting the Pod https port when deployed in OpenShift + set: + reports: + replicas: 1 + authentication: + openshift: + enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat-reports + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 10001 + - equal: + path: spec.ports[0].targetPort + value: https + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: reports From 1c23ddb45afd6f032df9b2b506a2860039f1202c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 6 Nov 2024 14:49:31 -0500 Subject: [PATCH 15/15] remove outdated note --- charts/cryostat/README.md | 16 ++++++++-------- charts/cryostat/values.yaml | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 45f45eb..6234921 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -171,14 +171,14 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index bb5a91f..79fdd4d 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -279,7 +279,7 @@ oauth2Proxy: cpu: 25m ## @param oauth2Proxy.resources.requests.memory Memory resource request for the OAuth2 Proxy container. memory: 64Mi - ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). + ## @param oauth2Proxy.securityContext [object] Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). securityContext: ## @skip oauth2Proxy.securityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false