Merge pull request #11 from GoogleCloudPlatform/main

pull latest main to release-1.0

overlay/user-auth-overlay.yaml

@@ -0,0 +1,9 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  meshConfig:
+    extensionProviders:
+      - name: "asm-userauth-grpc"
+        envoyExtAuthzGrpc:
+          service: "authservice.asm-user-auth.svc.cluster.local"
+          port: "10003"

pkg/Kptfile

@@ -24,10 +24,38 @@ openAPI:
         setter:
           name: anthos.servicemesh.user-auth.oidc.clientSecret
           value: your-oidc-clientSecret
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name:
+      description: Name of the Kubernetes secret contains OAuth2 client credential for OIDC authentication.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name
+          value: oauth-secret
+          isSet: true
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace:
+      description: Namespace of the Kubernetes secret contains OAuth2 client credential for OIDC authentication.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace
+          value: asm-user-auth
+          isSet: true
     io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI:
       description: The OIDC identity provider issuer URI.
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.user-auth.oidc.issuerURI
           value: your-oidc-issuer-uri
           isSet: true
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost:
+      description: The redirect URI host name for OIDC.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.redirectURIHost
+          value: your-oidc-redirect-uri-host
+          isSet: true
+    io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath:
+      description: The redirect URI path for OIDC.
+      x-k8s-cli:
+        setter:
+          name: anthos.servicemesh.user-auth.oidc.redirectURIPath
+          value: "/_gcp_asm/authenticate"
+          isSet: true

pkg/asm_user_auth_config_v1alpha1.yaml → pkg/asm_user_auth_config_v1beta1.yaml

@@ -15,7 +15,7 @@ spec:
     singular: userauthconfig
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - name: v1beta1
     schema:
       openAPIV3Schema:
         description: UserAuthConfig is the schema for the userauthproxyconfigs API.
@@ -45,14 +45,20 @@ spec:
                         description: CertificateAuthorityData contains PEM-encoded
                           certificate authority certificate for OIDC provider.
                         type: string
-                      # TODO(piyushn): Move clientid / secret to k8s secrets.
-                      clientID:
-                        description: ClientID is an ID for OIDC client application.
-                        type: string
-                      clientSecret:
-                        description: ClientSecret is the shared secret between OIDC
-                          client application and OIDC provider.
-                        type: string
+                      oauthCredentialsSecret:
+                        description: secret references to the Kubernetes Opaque type secret which
+                          contains OAuth2 OIDC client_id and client_secret in JSON payload.
+                        properties:
+                          name:
+                            description: Name of the secret which stores OAuth2 OIDC credentials.
+                            type: string
+                          namespace:
+                            description: Namespace of the secret which stores OAuth2 OIDC credentials.
+                            type: string
+                        required:
+                        - name
+                        - namespace
+                        type: object
                       scopes:
                         description: Comma-separated list of identifiers used to specify what access privileges are being requested in addition to "openid" scope, eg. "groups,allatclaim".
                         type: string
@@ -81,8 +87,7 @@ spec:
                         type: string
                         default: "/_gcp_asm/authenticate"
                     required:
-                    - clientID
-                    - clientSecret
+                    - oauthCredentialsSecret
                     - issuerURI
                     - redirectURIHost
                     - redirectURIPath

pkg/cluster_role_binding.yaml

@@ -9,6 +9,12 @@ rules:
   - userauthconfigs
   - userauthconfigs/status
   verbs: ["get", "update", "patch"]
+- apiGroups: [""]
+  resources:
+  - secrets
+  resourceNames:
+  - "oauth-secret"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"}
+  verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

pkg/configmap.yaml

@@ -6,21 +6,28 @@ metadata:
 data:
   config.yaml: |
     config:
+      info_service:
+        socket_address:
+          addr: "0.0.0.0"
+          port: 9901
       adapter:
         envoy:
           socket_address:
             addr: "0.0.0.0"
             port: 10003
           failure_mode_allow: false
+          enable_plaintext_mode: true
       input_plugin:
         session_cookie:
           aes_symmetric_key:
-            filename: "/etc/charon/certs/session_cookie.key"
+            filename: "/etc/ais/certs/session_cookie.key"
       custom_resource_definition_info:
         api_group: "security.anthos.io"
-        version: "v1alpha1"
+        version: "v1beta1"
         namespace: "asm-user-auth"
         name: "user-auth-config"
         kind_plural_name: "userauthconfigs"
         kind_singular_name: "userauthconfig"
         status_property_name: "userAuthService"
+      webflow:
+        enabled: true

pkg/deployment.yaml

@@ -15,6 +15,9 @@ spec:
   - name: http
     port: 10004
     targetPort: 10004
+  - name: info
+    port: 9901
+    targetPort: 9901
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -35,10 +38,10 @@ spec:
     spec:
       containers:
       - name: authservice
-        image: gcr.io/gke-release/asm/asm_user_auth:hybrid_identity_charon_20210325_RC00  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
+        image: gcr.io/gke-release/ais:GA  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"}
         imagePullPolicy: IfNotPresent
         command:
-        - /usr/bin/asm_user_auth
+        - /usr/bin/ais
         - --uid=
         - --gid=
         - --logtostderr
@@ -48,9 +51,17 @@ spec:
           protocol: TCP
         - containerPort: 10004
           protocol: TCP
-        resources: {}
+        - containerPort: 9901
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 2.0
+            memory: 512M
+          requests:
+            cpu: 1.0
+            memory: 256M
         volumeMounts:
-        - mountPath: /etc/charon/certs
+        - mountPath: /etc/ais/certs
           name: key-volume
         - mountPath: /etc/config
           name: config-volume

pkg/gateway.yaml

@@ -35,7 +35,7 @@ spec:
     - uri:
         prefix: /status
     - uri:
-        prefix: /_gcp_anthos_callback
+        prefix: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
     name: user-auth-route
     route:
     - destination:

pkg/oauth_secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "oauth-secret"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"}
+  namespace: "asm-user-auth"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"}
+type: Opaque
+data:
+  clientID: "<your client id>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID"}
+  clientSecret: "<your client secret>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret"}

pkg/user_auth_config.yaml

@@ -1,4 +1,4 @@
-apiVersion: security.anthos.io/v1alpha1
+apiVersion: security.anthos.io/v1beta1
 kind: UserAuthConfig
 metadata:
   name: user-auth-config
@@ -7,9 +7,10 @@ spec:
   authentication:
     oidc:
       certificateAuthorityData: ""
-      clientID: "<your client id>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID"}
-      clientSecret: "<your client secret>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret"}
+      oauthCredentialsSecret:
+        name: "oauth-secret"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"}
+        namespace: "asm-user-auth"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"}
       issuerURI: "<your issuer uri>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"}
-      redirectURIHost: "https://localhost:8443"
-      redirectURIPath: "/_gcp_anthos_callback"
+      redirectURIHost: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"}
+      redirectURIPath: "/_gcp_asm/authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
   outputJWTAudience: "test_audience"