Skip to content

Commit

Permalink
support grpc auth.
Browse files Browse the repository at this point in the history 
Signed-off-by: morvencao <[email protected]>
  • Loading branch information
@morvencao
morvencao committed Aug 27, 2024
1 parent 87773f1 commit 2917152
Show file tree
Hide file tree
Showing 16 changed files with 641 additions and 94 deletions.
29 changes: 29 additions & 0 deletions cmd/maestro/environments/framework.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,14 @@ import (
"github.com/getsentry/sentry-go"
"github.com/golang/glog"
"github.com/openshift-online/maestro/pkg/client/cloudevents"
"github.com/openshift-online/maestro/pkg/client/grpcauthorizer"
"github.com/openshift-online/maestro/pkg/client/ocm"
"github.com/openshift-online/maestro/pkg/config"
"github.com/openshift-online/maestro/pkg/errors"
"github.com/spf13/pflag"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"

"open-cluster-management.io/sdk-go/pkg/cloudevents/generic"
)
Expand Down Expand Up @@ -196,6 +200,31 @@ func (e *Env) LoadClients() error {
}
}

// Create GRPC authorizer based on configuration
if e.Config.GRPCServer.EnableGRPCServer {
if e.Config.GRPCServer.EnableGRPCAuthZMock {
glog.Infof("Using Mock GRPC Authorizer")
e.Clients.GRPCAuthorizer = grpcauthorizer.NewMockGRPCAuthorizer()
} else {
kubeConfig, err := clientcmd.BuildConfigFromFlags("", e.Config.GRPCServer.GRPCAuthrizerConfig)
if err != nil {
glog.Warningf("Unable to create kube client config: %s", err.Error())
// fallback to in-cluster config
kubeConfig, err = rest.InClusterConfig()
if err != nil {
glog.Errorf("Unable to create kube client config: %s", err.Error())
return err
}
}
kubeClient, err := kubernetes.NewForConfig(kubeConfig)
if err != nil {
glog.Errorf("Unable to create kube client: %s", err.Error())
return err
}
e.Clients.GRPCAuthorizer = grpcauthorizer.NewKubeGRPCAuthorizer(kubeClient)
}
}

return nil
}

Expand Down
2 changes: 2 additions & 0 deletions cmd/maestro/environments/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (

"github.com/openshift-online/maestro/pkg/auth"
"github.com/openshift-online/maestro/pkg/client/cloudevents"
"github.com/openshift-online/maestro/pkg/client/grpcauthorizer"
"github.com/openshift-online/maestro/pkg/client/ocm"
"github.com/openshift-online/maestro/pkg/config"
"github.com/openshift-online/maestro/pkg/db"
Expand Down Expand Up @@ -57,6 +58,7 @@ type Services struct {

type Clients struct {
OCM *ocm.Client
GRPCAuthorizer grpcauthorizer.GRPCAuthorizer
CloudEventsSource cloudevents.SourceClient
}

Expand Down
2 changes: 1 addition & 1 deletion cmd/maestro/server/api_server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ func NewAPIServer(eventBroadcaster *event.EventBroadcaster) Server {

// TODO: support authn and authz for gRPC
if env().Config.GRPCServer.EnableGRPCServer {
s.grpcServer = NewGRPCServer(env().Services.Resources(), eventBroadcaster, *env().Config.GRPCServer)
s.grpcServer = NewGRPCServer(env().Services.Resources(), eventBroadcaster, *env().Config.GRPCServer, env().Clients.GRPCAuthorizer)
}
return s
}
Expand Down
27 changes: 4 additions & 23 deletions cmd/maestro/server/grpc_broker.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"github.com/golang/glog"
"github.com/google/uuid"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/keepalive"
"google.golang.org/protobuf/types/known/emptypb"
"k8s.io/klog/v2"
Expand Down Expand Up @@ -74,26 +73,7 @@ func NewGRPCBroker(eventBroadcaster *event.EventBroadcaster) EventServer {
MaxConnectionAge: config.MaxConnectionAge,
}))

if config.EnableTLS {
// Check tls cert and key path path
if config.TLSCertFile == "" || config.TLSKeyFile == "" {
check(
fmt.Errorf("unspecified required --grpc-tls-cert-file, --grpc-tls-key-file"),
"Can't start gRPC broker",
)
}

// Serve with TLS
creds, err := credentials.NewServerTLSFromFile(config.TLSCertFile, config.TLSKeyFile)
if err != nil {
glog.Fatalf("Failed to generate credentials %v", err)
}
grpcServerOptions = append(grpcServerOptions, grpc.Creds(creds))
glog.Infof("Serving gRPC broker with TLS at %s", config.BrokerBindPort)
} else {
glog.Infof("Serving gRPC broker without TLS at %s", config.BrokerBindPort)
}

glog.Infof("Serving gRPC broker without TLS at %s", config.BrokerBindPort)
sessionFactory := env().Database.SessionFactory
return &GRPCBroker{
grpcServer: grpc.NewServer(grpcServerOptions...),
Expand All @@ -109,14 +89,15 @@ func NewGRPCBroker(eventBroadcaster *event.EventBroadcaster) EventServer {

// Start starts the gRPC broker
func (bkr *GRPCBroker) Start(ctx context.Context) {
glog.Info("Starting gRPC broker")
lis, err := net.Listen("tcp", bkr.bindAddress)
if err != nil {
glog.Fatalf("failed to listen: %v", err)
check(fmt.Errorf("failed to listen: %v", err), "Can't start gRPC broker")
}
pbv1.RegisterCloudEventServiceServer(bkr.grpcServer, bkr)
go func() {
if err := bkr.grpcServer.Serve(lis); err != nil {
glog.Fatalf("failed to start gRPC broker: %v", err)
check(fmt.Errorf("failed to serve gRPC broker: %v", err), "Can't start gRPC broker")
}
}()

Expand Down
Loading

0 comments on commit 2917152

Please sign in to comment.