Skip to content

Commit

Permalink
feat(auth): add config option to deploy oauth2_proxy instead of opens…
Browse files Browse the repository at this point in the history 
…hift-oauth-proxy (#803)
  • Loading branch information
@andrewazores
andrewazores authored May 3, 2024
1 parent d455719 commit b9b0365
Show file tree
Hide file tree
Showing 12 changed files with 579 additions and 39 deletions.
23 changes: 22 additions & 1 deletion api/v1beta2/cryostat_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package v1beta2

import (
authzv1 "k8s.io/api/authorization/v1"
corev1 "k8s.io/api/core/v1"
netv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -487,12 +488,32 @@ type TemplateConfigMap struct {

// Authorization options provide additional configurations for the auth proxy.
type AuthorizationOptions struct {
// Reference to a secret and file name containing the Basic authentication htpasswd file
// Configuration for OpenShift RBAC to define which OpenShift user accounts may access the Cryostat application.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="OpenShift SSO"
OpenShiftSSO *OpenShiftSSOConfig `json:"openShiftSSO,omitempty"`
// Reference to a secret and file name containing the Basic authentication htpasswd file. If deploying on OpenShift this
// defines additional user accounts that can access the Cryostat application, on top of the OpenShift user accounts which
// pass the OpenShift SSO Roles checks. If not on OpenShift then this defines the only user accounts that have access.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
BasicAuth *SecretFile `json:"basicAuth,omitempty"`
}

type OpenShiftSSOConfig struct {
// Disable OpenShift SSO integration and allow all users to access the application without authentication. This
// will also bypass the BasicAuth, if specified.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable OpenShift SSO",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
Disable *bool `json:"disable,omitempty"`
// The SubjectAccessReview or TokenAccessReview that all clients (users visiting the application via web browser as well
// as CLI utilities and other programs presenting Bearer auth tokens) must pass in order to access the application.
// If not specified, the default role required is "create pods/exec" in the Cryostat application's installation namespace.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
AccessReview *authzv1.ResourceAttributes `json:"accessReview,omitempty"`
}

type SecretFile struct {
// Name of the secret to reference.
// +optional
Expand Down
31 changes: 31 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 23 additions & 2 deletions bundle/manifests/cryostat-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Monitoring, Developer Tools
containerImage: quay.io/cryostat/cryostat-operator:3.0.0-dev
createdAt: "2024-04-26T21:51:07Z"
createdAt: "2024-05-03T13:22:52Z"
description: JVM monitoring and profiling tool
operatorframework.io/initialization-resource: |-
{
Expand Down Expand Up @@ -559,7 +559,10 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- description: Reference to a secret and file name containing the Basic authentication
htpasswd file
htpasswd file. If deploying on OpenShift this defines additional user accounts
that can access the Cryostat application, on top of the OpenShift user accounts
which pass the OpenShift SSO Roles checks. If not on OpenShift then this
defines the only user accounts that have access.
displayName: Basic Auth
path: authorizationOptions.basicAuth
x-descriptors:
Expand All @@ -574,6 +577,24 @@ spec:
path: authorizationOptions.basicAuth.secretName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: Configuration for OpenShift RBAC to define which OpenShift user
accounts may access the Cryostat application.
displayName: OpenShift SSO
path: authorizationOptions.openShiftSSO
- description: The SubjectAccessReview or TokenAccessReview that all clients
(users visiting the application via web browser as well as CLI utilities
and other programs presenting Bearer auth tokens) must pass in order to
access the application. If not specified, the default role required is "create
pods/exec" in the Cryostat application's installation namespace.
displayName: Access Review
path: authorizationOptions.openShiftSSO.accessReview
- description: Disable OpenShift SSO integration and allow all users to access
the application without authentication. This will also bypass the BasicAuth,
if specified.
displayName: Disable OpenShift SSO
path: authorizationOptions.openShiftSSO.disable
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- description: List of Flight Recorder Event Templates to preconfigure in Cryostat.
displayName: Event Templates
path: eventTemplates
Expand Down
60 changes: 59 additions & 1 deletion bundle/manifests/operator.cryostat.io_cryostats.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5156,7 +5156,11 @@ spec:
properties:
basicAuth:
description: Reference to a secret and file name containing the
Basic authentication htpasswd file
Basic authentication htpasswd file. If deploying on OpenShift
this defines additional user accounts that can access the Cryostat
application, on top of the OpenShift user accounts which pass
the OpenShift SSO Roles checks. If not on OpenShift then this
defines the only user accounts that have access.
properties:
filename:
description: Name of the file within the secret.
Expand All @@ -5165,6 +5169,60 @@ spec:
description: Name of the secret to reference.
type: string
type: object
openShiftSSO:
description: Configuration for OpenShift RBAC to define which
OpenShift user accounts may access the Cryostat application.
properties:
accessReview:
description: The SubjectAccessReview or TokenAccessReview
that all clients (users visiting the application via web
browser as well as CLI utilities and other programs presenting
Bearer auth tokens) must pass in order to access the application.
If not specified, the default role required is "create pods/exec"
in the Cryostat application's installation namespace.
properties:
group:
description: Group is the API Group of the Resource. "*"
means all.
type: string
name:
description: Name is the name of the resource being requested
for a "get" or deleted for a "delete". "" (empty) means
all.
type: string
namespace:
description: Namespace is the namespace of the action
being requested. Currently, there is no distinction
between no namespace and all namespaces "" (empty) is
defaulted for LocalSubjectAccessReviews "" (empty) is
empty for cluster-scoped resources "" (empty) means
"all" for namespace scoped resources from a SubjectAccessReview
or SelfSubjectAccessReview
type: string
resource:
description: Resource is one of the existing resource
types. "*" means all.
type: string
subresource:
description: Subresource is one of the existing resource
types. "" means none.
type: string
verb:
description: 'Verb is a kubernetes resource API verb,
like: get, list, watch, create, update, delete, proxy. "*"
means all.'
type: string
version:
description: Version is the API Version of the Resource. "*"
means all.
type: string
type: object
disable:
description: Disable OpenShift SSO integration and allow all
users to access the application without authentication.
This will also bypass the BasicAuth, if specified.
type: boolean
type: object
type: object
enableCertManager:
description: Use cert-manager to secure in-cluster communication between
Expand Down
60 changes: 59 additions & 1 deletion config/crd/bases/operator.cryostat.io_cryostats.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5146,7 +5146,11 @@ spec:
properties:
basicAuth:
description: Reference to a secret and file name containing the
Basic authentication htpasswd file
Basic authentication htpasswd file. If deploying on OpenShift
this defines additional user accounts that can access the Cryostat
application, on top of the OpenShift user accounts which pass
the OpenShift SSO Roles checks. If not on OpenShift then this
defines the only user accounts that have access.
properties:
filename:
description: Name of the file within the secret.
Expand All @@ -5155,6 +5159,60 @@ spec:
description: Name of the secret to reference.
type: string
type: object
openShiftSSO:
description: Configuration for OpenShift RBAC to define which
OpenShift user accounts may access the Cryostat application.
properties:
accessReview:
description: The SubjectAccessReview or TokenAccessReview
that all clients (users visiting the application via web
browser as well as CLI utilities and other programs presenting
Bearer auth tokens) must pass in order to access the application.
If not specified, the default role required is "create pods/exec"
in the Cryostat application's installation namespace.
properties:
group:
description: Group is the API Group of the Resource. "*"
means all.
type: string
name:
description: Name is the name of the resource being requested
for a "get" or deleted for a "delete". "" (empty) means
all.
type: string
namespace:
description: Namespace is the namespace of the action
being requested. Currently, there is no distinction
between no namespace and all namespaces "" (empty) is
defaulted for LocalSubjectAccessReviews "" (empty) is
empty for cluster-scoped resources "" (empty) means
"all" for namespace scoped resources from a SubjectAccessReview
or SelfSubjectAccessReview
type: string
resource:
description: Resource is one of the existing resource
types. "*" means all.
type: string
subresource:
description: Subresource is one of the existing resource
types. "" means none.
type: string
verb:
description: 'Verb is a kubernetes resource API verb,
like: get, list, watch, create, update, delete, proxy. "*"
means all.'
type: string
version:
description: Version is the API Version of the Resource. "*"
means all.
type: string
type: object
disable:
description: Disable OpenShift SSO integration and allow all
users to access the application without authentication.
This will also bypass the BasicAuth, if specified.
type: boolean
type: object
type: object
enableCertManager:
description: Use cert-manager to secure in-cluster communication between
Expand Down
23 changes: 22 additions & 1 deletion config/manifests/bases/cryostat-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,10 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- description: Reference to a secret and file name containing the Basic authentication
htpasswd file
htpasswd file. If deploying on OpenShift this defines additional user accounts
that can access the Cryostat application, on top of the OpenShift user accounts
which pass the OpenShift SSO Roles checks. If not on OpenShift then this
defines the only user accounts that have access.
displayName: Basic Auth
path: authorizationOptions.basicAuth
x-descriptors:
Expand All @@ -119,6 +122,24 @@ spec:
path: authorizationOptions.basicAuth.secretName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: Configuration for OpenShift RBAC to define which OpenShift user
accounts may access the Cryostat application.
displayName: OpenShift SSO
path: authorizationOptions.openShiftSSO
- description: The SubjectAccessReview or TokenAccessReview that all clients
(users visiting the application via web browser as well as CLI utilities
and other programs presenting Bearer auth tokens) must pass in order to
access the application. If not specified, the default role required is "create
pods/exec" in the Cryostat application's installation namespace.
displayName: Access Review
path: authorizationOptions.openShiftSSO.accessReview
- description: Disable OpenShift SSO integration and allow all users to access
the application without authentication. This will also bypass the BasicAuth,
if specified.
displayName: Disable OpenShift SSO
path: authorizationOptions.openShiftSSO.disable
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- description: List of Flight Recorder Event Templates to preconfigure in Cryostat.
displayName: Event Templates
path: eventTemplates
Expand Down
Loading

0 comments on commit b9b0365

Please sign in to comment.