From 75dbd1b1fe5bfd6cfb3222d344c62310027dfbb5 Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Mon, 3 May 2021 23:54:36 +0000 Subject: [PATCH 1/8] update pkg with certs path and info service --- pkg/configmap.yaml | 6 +++++- pkg/deployment.yaml | 7 ++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/configmap.yaml b/pkg/configmap.yaml index 9ff08e1..1842d19 100644 --- a/pkg/configmap.yaml +++ b/pkg/configmap.yaml @@ -6,6 +6,10 @@ metadata: data: config.yaml: | config: + info_service: + socket_address: + addr: "0.0.0.0" + port: 9901 adapter: envoy: socket_address: @@ -15,7 +19,7 @@ data: input_plugin: session_cookie: aes_symmetric_key: - filename: "/etc/charon/certs/session_cookie.key" + filename: "/etc/ais/certs/session_cookie.key" custom_resource_definition_info: api_group: "security.anthos.io" version: "v1alpha1" diff --git a/pkg/deployment.yaml b/pkg/deployment.yaml index 57f9340..75c439b 100644 --- a/pkg/deployment.yaml +++ b/pkg/deployment.yaml @@ -15,6 +15,9 @@ spec: - name: http port: 10004 targetPort: 10004 + - name: info + port: 9901 + targetPort: 9901 --- apiVersion: apps/v1 kind: Deployment @@ -48,9 +51,11 @@ spec: protocol: TCP - containerPort: 10004 protocol: TCP + - containerPort: 9901 + protocol: TCP resources: {} volumeMounts: - - mountPath: /etc/charon/certs + - mountPath: /etc/ais/certs name: key-volume - mountPath: /etc/config name: config-volume From c782c41a05c7ab87d81506beb943811b4c44efd2 Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Fri, 21 May 2021 16:08:44 +0000 Subject: [PATCH 2/8] add webflow to config map --- pkg/configmap.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/configmap.yaml b/pkg/configmap.yaml index 1842d19..2cd24bc 100644 --- a/pkg/configmap.yaml +++ b/pkg/configmap.yaml @@ -16,6 +16,7 @@ data: addr: "0.0.0.0" port: 10003 failure_mode_allow: false + enable_plaintext_mode: true input_plugin: session_cookie: aes_symmetric_key: @@ -28,3 +29,5 @@ data: kind_plural_name: "userauthconfigs" kind_singular_name: "userauthconfig" status_property_name: "userAuthService" + webflow: + enabled: true From ee495eece4d30a0759cf04322b2dfb8d86ad1d18 Mon Sep 17 00:00:00 2001 From: Marco Li Date: Thu, 3 Jun 2021 16:06:27 -0400 Subject: [PATCH 3/8] add overlay --- overlay/user-auth-overlay.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 overlay/user-auth-overlay.yaml diff --git a/overlay/user-auth-overlay.yaml b/overlay/user-auth-overlay.yaml new file mode 100644 index 0000000..6ffae92 --- /dev/null +++ b/overlay/user-auth-overlay.yaml @@ -0,0 +1,9 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + extensionProviders: + - name: "asm-userauth-grpc" + envoyExtAuthzGrpc: + service: "authservice.asm-user-auth.svc.cluster.local" + port: "10003" From bdda890245311710cbf6d8cb6f85d651e8a7e988 Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Thu, 3 Jun 2021 20:13:42 +0000 Subject: [PATCH 4/8] add kpt setter for redirect URI host and path --- pkg/Kptfile | 14 ++++++++++++++ pkg/user_auth_config.yaml | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/pkg/Kptfile b/pkg/Kptfile index 0190989..f9d76bd 100644 --- a/pkg/Kptfile +++ b/pkg/Kptfile @@ -31,3 +31,17 @@ openAPI: name: anthos.servicemesh.user-auth.oidc.issuerURI value: your-oidc-issuer-uri isSet: true + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost: + description: The redirect URI host name for OIDC. + x-k8s-cli: + setter: + name: anthos.servicemesh.user-auth.oidc.redirectURIHost + value: your-oidc-redirect-uri-host + isSet: true + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath: + description: The redirect URI path for OIDC. + x-k8s-cli: + setter: + name: anthos.servicemesh.user-auth.oidc.redirectURIPath + value: your-oidc-redirect-uri-path + isSet: true diff --git a/pkg/user_auth_config.yaml b/pkg/user_auth_config.yaml index 3bac743..94f3195 100644 --- a/pkg/user_auth_config.yaml +++ b/pkg/user_auth_config.yaml @@ -10,6 +10,6 @@ spec: clientID: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID"} clientSecret: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret"} issuerURI: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"} - redirectURIHost: "https://localhost:8443" - redirectURIPath: "/_gcp_anthos_callback" + redirectURIHost: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"} + redirectURIPath: "/_gcp_asm/authenticate" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"} outputJWTAudience: "test_audience" From 12b1445e7c988e034116dac6f6a4b7e7352366f7 Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Thu, 17 Jun 2021 18:48:33 +0000 Subject: [PATCH 5/8] update to beta version --- pkg/Kptfile | 17 ++++++------ ...yaml => asm_user_auth_config_v1beta1.yaml} | 27 +++++++++++-------- pkg/cluster_role_binding.yaml | 4 +++ pkg/configmap.yaml | 2 +- pkg/user_auth_config.yaml | 7 ++--- 5 files changed, 34 insertions(+), 23 deletions(-) rename pkg/{asm_user_auth_config_v1alpha1.yaml => asm_user_auth_config_v1beta1.yaml} (86%) diff --git a/pkg/Kptfile b/pkg/Kptfile index f9d76bd..99e10bc 100644 --- a/pkg/Kptfile +++ b/pkg/Kptfile @@ -11,19 +11,20 @@ openAPI: setter: name: anthos.servicemesh.user-auth.image value: gcr.io/gke-release/asm/asm_user_auth:hybrid_identity_charon_20210325_RC00 - io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID: - description: The OAuth2 client ID for OIDC authentication. + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name: + description: Name of the Kubernetes secret contains OAuth2 client credential for OIDC authentication. x-k8s-cli: setter: - name: anthos.servicemesh.user-auth.oidc.clientID - value: your-oidc-client-id + name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name + value: your-kubernetes-secret-name isSet: true - io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret: - description: The OAuth2 client secret for OIDC authentication. + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace: + description: Namespace of the Kubernetes secret contains OAuth2 client credential for OIDC authentication. x-k8s-cli: setter: - name: anthos.servicemesh.user-auth.oidc.clientSecret - value: your-oidc-clientSecret + name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace + value: your-kubernetes-secret-namespace + isSet: true io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI: description: The OIDC identity provider issuer URI. x-k8s-cli: diff --git a/pkg/asm_user_auth_config_v1alpha1.yaml b/pkg/asm_user_auth_config_v1beta1.yaml similarity index 86% rename from pkg/asm_user_auth_config_v1alpha1.yaml rename to pkg/asm_user_auth_config_v1beta1.yaml index 3962b50..5a34962 100644 --- a/pkg/asm_user_auth_config_v1alpha1.yaml +++ b/pkg/asm_user_auth_config_v1beta1.yaml @@ -15,7 +15,7 @@ spec: singular: userauthconfig scope: Namespaced versions: - - name: v1alpha1 + - name: v1beta1 schema: openAPIV3Schema: description: UserAuthConfig is the schema for the userauthproxyconfigs API. @@ -45,14 +45,20 @@ spec: description: CertificateAuthorityData contains PEM-encoded certificate authority certificate for OIDC provider. type: string - # TODO(piyushn): Move clientid / secret to k8s secrets. - clientID: - description: ClientID is an ID for OIDC client application. - type: string - clientSecret: - description: ClientSecret is the shared secret between OIDC - client application and OIDC provider. - type: string + oauthCredentialsSecret: + description: secret references to the Kubernetes Opaque type secret which + contains OAuth2 OIDC client_id and client_secret in JSON payload. + properties: + name: + description: Name of the secret which stores OAuth2 OIDC credentials. + type: string + namespace: + description: Namespace of the secret which stores OAuth2 OIDC credentials. + type: string + required: + - name + - namespace + type: object scopes: description: Comma-separated list of identifiers used to specify what access privileges are being requested in addition to "openid" scope, eg. "groups,allatclaim". type: string @@ -81,8 +87,7 @@ spec: type: string default: "/_gcp_asm/authenticate" required: - - clientID - - clientSecret + - oauthCredentialsSecret - issuerURI - redirectURIHost - redirectURIPath diff --git a/pkg/cluster_role_binding.yaml b/pkg/cluster_role_binding.yaml index 1e47b37..a4076ef 100644 --- a/pkg/cluster_role_binding.yaml +++ b/pkg/cluster_role_binding.yaml @@ -9,6 +9,10 @@ rules: - userauthconfigs - userauthconfigs/status verbs: ["get", "update", "patch"] +- apiGroups: [""] + resources: + - secrets + verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/pkg/configmap.yaml b/pkg/configmap.yaml index 2cd24bc..255c793 100644 --- a/pkg/configmap.yaml +++ b/pkg/configmap.yaml @@ -23,7 +23,7 @@ data: filename: "/etc/ais/certs/session_cookie.key" custom_resource_definition_info: api_group: "security.anthos.io" - version: "v1alpha1" + version: "v1beta1" namespace: "asm-user-auth" name: "user-auth-config" kind_plural_name: "userauthconfigs" diff --git a/pkg/user_auth_config.yaml b/pkg/user_auth_config.yaml index 94f3195..9b4a082 100644 --- a/pkg/user_auth_config.yaml +++ b/pkg/user_auth_config.yaml @@ -1,4 +1,4 @@ -apiVersion: security.anthos.io/v1alpha1 +apiVersion: security.anthos.io/v1beta1 kind: UserAuthConfig metadata: name: user-auth-config @@ -7,8 +7,9 @@ spec: authentication: oidc: certificateAuthorityData: "" - clientID: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID"} - clientSecret: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret"} + oauthCredentialsSecret: + name: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"} + namespace: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"} issuerURI: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"} redirectURIHost: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"} redirectURIPath: "/_gcp_asm/authenticate" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"} From 3b7e9df0fb5f3ae26fa1ffe63c4617c6d4b00bbb Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Wed, 23 Jun 2021 22:16:00 +0000 Subject: [PATCH 6/8] update pkg for oauth secret --- pkg/Kptfile | 17 +++++++++++++++-- pkg/cluster_role_binding.yaml | 2 ++ pkg/deployment.yaml | 4 ++-- pkg/oauth_secret.yaml | 9 +++++++++ pkg/user_auth_config.yaml | 4 ++-- 5 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 pkg/oauth_secret.yaml diff --git a/pkg/Kptfile b/pkg/Kptfile index 99e10bc..7944185 100644 --- a/pkg/Kptfile +++ b/pkg/Kptfile @@ -11,19 +11,32 @@ openAPI: setter: name: anthos.servicemesh.user-auth.image value: gcr.io/gke-release/asm/asm_user_auth:hybrid_identity_charon_20210325_RC00 + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID: + description: The OAuth2 client ID for OIDC authentication. + x-k8s-cli: + setter: + name: anthos.servicemesh.user-auth.oidc.clientID + value: your-oidc-client-id + isSet: true + io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret: + description: The OAuth2 client secret for OIDC authentication. + x-k8s-cli: + setter: + name: anthos.servicemesh.user-auth.oidc.clientSecret + value: your-oidc-clientSecret io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name: description: Name of the Kubernetes secret contains OAuth2 client credential for OIDC authentication. x-k8s-cli: setter: name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name - value: your-kubernetes-secret-name + value: oauth-secret isSet: true io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace: description: Namespace of the Kubernetes secret contains OAuth2 client credential for OIDC authentication. x-k8s-cli: setter: name: anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace - value: your-kubernetes-secret-namespace + value: asm-user-auth isSet: true io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI: description: The OIDC identity provider issuer URI. diff --git a/pkg/cluster_role_binding.yaml b/pkg/cluster_role_binding.yaml index a4076ef..05b48f6 100644 --- a/pkg/cluster_role_binding.yaml +++ b/pkg/cluster_role_binding.yaml @@ -12,6 +12,8 @@ rules: - apiGroups: [""] resources: - secrets + resourceNames: + - "oauth-secret" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"} verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/pkg/deployment.yaml b/pkg/deployment.yaml index 75c439b..dc75ab7 100644 --- a/pkg/deployment.yaml +++ b/pkg/deployment.yaml @@ -38,10 +38,10 @@ spec: spec: containers: - name: authservice - image: gcr.io/gke-release/asm/asm_user_auth:hybrid_identity_charon_20210325_RC00 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"} + image: gcr.io/gke-release/ais:GA # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.image"} imagePullPolicy: IfNotPresent command: - - /usr/bin/asm_user_auth + - /usr/bin/ais - --uid= - --gid= - --logtostderr diff --git a/pkg/oauth_secret.yaml b/pkg/oauth_secret.yaml new file mode 100644 index 0000000..99d23b4 --- /dev/null +++ b/pkg/oauth_secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "oauth-secret" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"} + namespace: "asm-user-auth" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"} +type: Opaque +data: + clientID: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientID"} + clientSecret: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.clientSecret"} diff --git a/pkg/user_auth_config.yaml b/pkg/user_auth_config.yaml index 9b4a082..5ff2850 100644 --- a/pkg/user_auth_config.yaml +++ b/pkg/user_auth_config.yaml @@ -8,8 +8,8 @@ spec: oidc: certificateAuthorityData: "" oauthCredentialsSecret: - name: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"} - namespace: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"} + name: "oauth-secret" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.name"} + namespace: "asm-user-auth" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"} issuerURI: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"} redirectURIHost: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"} redirectURIPath: "/_gcp_asm/authenticate" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"} From 65b16055d88819ef9203987435a92709aacf5128 Mon Sep 17 00:00:00 2001 From: Wenhao Li Date: Fri, 25 Jun 2021 21:56:07 +0000 Subject: [PATCH 7/8] add resources to deployment --- pkg/deployment.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/deployment.yaml b/pkg/deployment.yaml index dc75ab7..02bd850 100644 --- a/pkg/deployment.yaml +++ b/pkg/deployment.yaml @@ -53,7 +53,13 @@ spec: protocol: TCP - containerPort: 9901 protocol: TCP - resources: {} + resources: + limits: + cpu: 2.0 + memory: 512M + requests: + cpu: 1.0 + memory: 256M volumeMounts: - mountPath: /etc/ais/certs name: key-volume From ef51998376a1f6e8bb0618a626bacba683ee2ae1 Mon Sep 17 00:00:00 2001 From: Jianfei Hu Date: Tue, 29 Jun 2021 19:03:37 +0000 Subject: [PATCH 8/8] update the gateway config with the kpt setter. --- pkg/Kptfile | 2 +- pkg/gateway.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/Kptfile b/pkg/Kptfile index 7944185..7fbb524 100644 --- a/pkg/Kptfile +++ b/pkg/Kptfile @@ -57,5 +57,5 @@ openAPI: x-k8s-cli: setter: name: anthos.servicemesh.user-auth.oidc.redirectURIPath - value: your-oidc-redirect-uri-path + value: "/_gcp_asm/authenticate" isSet: true diff --git a/pkg/gateway.yaml b/pkg/gateway.yaml index 4aea098..8f7f527 100644 --- a/pkg/gateway.yaml +++ b/pkg/gateway.yaml @@ -35,7 +35,7 @@ spec: - uri: prefix: /status - uri: - prefix: /_gcp_anthos_callback + prefix: "/_gcp_asm/authenticate" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"} name: user-auth-route route: - destination: