Skip to content

Commit

Permalink
Merge pull request #17 from mesosphere/multitenancy
Browse files Browse the repository at this point in the history
Backporting Multi-tenancy feature to mesosphere
  • Loading branch information
Alex Palesandro authored Oct 24, 2023
2 parents 62ff2b0 + bb26ad9 commit 2e9e4af
Show file tree
Hide file tree
Showing 19 changed files with 1,102 additions and 23 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ vendor
_build
html/static/downloads
.envrc
cover.out
3 changes: 2 additions & 1 deletion .tool-versions
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
golang 1.13.15
# golang 1.13.15
golang 1.19.3
github-cli 2.10.1
3 changes: 2 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.12.9
FROM alpine:3.18.3
# Dex connectors, such as GitHub and Google logins require root certificates.
# Proper installations should manage those certificates, but it's a bad user
# experience when this doesn't work out of the box.
Expand All @@ -10,6 +10,7 @@ RUN mkdir -p /app/bin
COPY ./bin/linux/amd64/dex-k8s-authenticator /app/bin/dex-k8s-authenticator
COPY html /app/html
COPY templates /app/templates
COPY templates /app/original-templates

# Add any required certs/key by mounting a volume on /certs - Entrypoint will copy them and run update-ca-certificates at startup
RUN mkdir -p /certs
Expand Down
5 changes: 4 additions & 1 deletion charts/dex-k8s-authenticator/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,13 @@ data:
{{- if .idpCaPem }}
idp_ca_pem: {{ toYaml .idpCaPem | indent 4 }}
{{- end }}
{{- if and .tlsCert .tlsKey }}
{{- if and .tlsCert .tlsKey }}
tls_cert: "{{ .tlsCert }}"
tls_key: "{{ .tlsKey }}"
{{- end }}
{{- if .enableMultiTenancy }}
enable_multi_tenancy: true
{{- end }}
clusters:
{{ toYaml .clusters | indent 4 }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions charts/dex-k8s-authenticator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@ spec:
nodeSelector:
{{ toYaml . | indent 6 }}
{{- end }}
{{- if .Values.rbac.enabled }}
serviceAccountName: {{ template "dex-k8s-authenticator.name" . }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
Expand Down
32 changes: 32 additions & 0 deletions charts/dex-k8s-authenticator/templates/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if .Values.rbac.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "dex-k8s-authenticator.name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "dex-k8s-authenticator.name" . }}-cr
rules:
- apiGroups: ["kommander.mesosphere.io"]
resources: ["kommanderclusters"]
verbs: ["get", "watch", "list"]
- apiGroups: ["workspaces.kommander.mesosphere.io"]
resources: ["workspaces"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "dex-k8s-authenticator.name" . }}
subjects:
- kind: ServiceAccount
name: {{ template "dex-k8s-authenticator.name" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ template "dex-k8s-authenticator.name" . }}-cr
apiGroup: rbac.authorization.k8s.io
{{- end }}
3 changes: 3 additions & 0 deletions charts/dex-k8s-authenticator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ dexK8sAuthenticator:
#logoUrl: http://<path-to-your-logo.png>
#tlsCert: /path/to/dex-client.crt
#tlsKey: /path/to/dex-client.key
enableMultiTenancy: false
clusters:
- name: my-cluster
short_description: "My Cluster"
Expand Down Expand Up @@ -87,6 +88,8 @@ caCerts:
# filename: ca2.crt
# value: DS1tFA1......X2F

rbac:
enabled: false

nodeSelector: {}

Expand Down
13 changes: 11 additions & 2 deletions dex-auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ import (
"github.com/spf13/cast"
"github.com/spf13/viper"
"golang.org/x/oauth2"

"github.com/mesosphere/dex-k8s-authenticator/pkg/tenancy"
)

const (
Expand Down Expand Up @@ -104,7 +106,14 @@ func (cluster *Cluster) handleLogin(w http.ResponseWriter, r *http.Request) {
}

log.Printf("Handling login-uri for: %s", cluster.Name)
authCodeURL := cluster.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline)
opts := []oauth2.AuthCodeOption{
oauth2.AccessTypeOffline,
}
if tenantId := r.URL.Query().Get(tenancy.TenantIdQueryParamName); tenantId != "" {
opts = append(opts, tenancy.OauthAddTenantId(tenancy.TenantId(tenantId)))
}

authCodeURL := cluster.oauth2Config(scopes).AuthCodeURL(exampleAppState, opts...)

// Record the name of cluster
http.SetCookie(w, &http.Cookie{
Expand Down Expand Up @@ -179,7 +188,7 @@ func (cluster *Cluster) handleCallback(w http.ResponseWriter, r *http.Request) {
rawIDToken, ok := token.Extra("id_token").(string)
if !ok {
cluster.renderHTMLError(w, userErrorMsg, http.StatusInternalServerError)
log.Printf("handleCallback: no id_token in response: %q", token)
log.Printf("handleCallback: no id_token in response: %v", token)
return
}

Expand Down
7 changes: 6 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,14 @@ go 1.13

require (
github.com/coreos/go-oidc v2.2.1+incompatible
github.com/gorilla/mux v1.8.0
github.com/mesosphere/konvoy-async-auth v0.1.3
github.com/spf13/cast v1.5.0
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.11.0
golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401
github.com/stretchr/testify v1.8.4
golang.org/x/oauth2 v0.8.0
k8s.io/apimachinery v0.28.1
k8s.io/client-go v0.28.1
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
)
Loading

0 comments on commit 2e9e4af

Please sign in to comment.