Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Identity for oauth aux #1286

Merged
merged 24 commits into from
Feb 19, 2025
Merged

Identity for oauth aux #1286

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
a8f92c5
Added the field UseAzureIdentity to oauth2
satr Feb 7, 2025
36646b3
Added validation
satr Feb 7, 2025
f905198
Added unit-test
satr Feb 7, 2025
0d4f9d5
Added-deleted aux oauth identity service account
satr Feb 7, 2025
3eeddc4
Added use identity label to the aux oauth deployment
satr Feb 7, 2025
7d35bb7
Merge remote-tracking branch 'origin/master' into identity-for-oauth-aux
satr Feb 10, 2025
5793d2a
Fixed oauth deletion
satr Feb 10, 2025
90f248a
Adding unit-tests
satr Feb 10, 2025
828b317
Merge remote-tracking branch 'origin/master' into identity-for-oauth-aux
satr Feb 10, 2025
52c7988
Adding unit-tests
satr Feb 10, 2025
f430895
Adding unit-tests
satr Feb 12, 2025
75f6c61
Adding unit-tests
satr Feb 12, 2025
67ed833
Merge remote-tracking branch 'origin/master' into identity-for-oauth-aux
satr Feb 12, 2025
7971044
Adding unit-tests
satr Feb 12, 2025
cf78d8a
Adding unit-tests
satr Feb 12, 2025
75ff4be
Modified aux deploy and secret
satr Feb 12, 2025
a900f38
Cleanup
satr Feb 12, 2025
1a31415
Extended unit-test
satr Feb 13, 2025
284a1db
Cleanup
satr Feb 13, 2025
3a3ff0f
Removed unnecessary validation
satr Feb 14, 2025
05ba7f4
Corrected oauth service client-id logic
satr Feb 14, 2025
5c582ce
Updated go and linter versions
satr Feb 18, 2025
3b7d9e5
Merge branch 'master' into identity-for-oauth-aux
satr Feb 18, 2025
4d0855a
Replaced property useAzureIdentity with Credentials enum to be expand…
satr Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/radix-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: radix-operator
version: 1.51.0
appVersion: 1.71.0
version: 1.52.0
appVersion: 1.72.0
kubeVersion: ">=1.24.0"
description: Radix Operator
keywords:
Expand Down
10 changes: 10 additions & 0 deletions charts/radix-operator/templates/radixapplication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity instead
of using a ClientSecret.
type: boolean
type: object
type: object
dockerfileName:
Expand Down Expand Up @@ -402,6 +407,11 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity
instead of using a ClientSecret.
type: boolean
type: object
type: object
dockerfileName:
Expand Down
5 changes: 5 additions & 0 deletions charts/radix-operator/templates/radixdeployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,11 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity instead
of using a ClientSecret.
type: boolean
type: object
type: object
dnsAppAlias:
Expand Down
8 changes: 8 additions & 0 deletions json-schema/radixapplication.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,10 @@
"setXAuthRequestHeaders": {
"description": "Defines if claims from the access token is added to the X-Auth-Request-User, X-Auth-Request-Groups,\nX-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.\nThe access token is passed in the X-Auth-Request-Access-Token header.",
"type": "boolean"
},
"useAzureIdentity": {
"description": "UseAzureIdentity defines that credentials for authenticating using Azure Workload Identity instead of using a ClientSecret.",
"type": "boolean"
}
},
"type": "object"
Expand Down Expand Up @@ -378,6 +382,10 @@
"setXAuthRequestHeaders": {
"description": "Defines if claims from the access token is added to the X-Auth-Request-User, X-Auth-Request-Groups,\nX-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.\nThe access token is passed in the X-Auth-Request-Access-Token header.",
"type": "boolean"
},
"useAzureIdentity": {
"description": "UseAzureIdentity defines that credentials for authenticating using Azure Workload Identity instead of using a ClientSecret.",
"type": "boolean"
}
},
"type": "object"
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/defaults/oauth2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ const (
AuthUrlAnnotation = "nginx.ingress.kubernetes.io/auth-url"
AuthSigninAnnotation = "nginx.ingress.kubernetes.io/auth-signin"
AuthResponseHeadersAnnotation = "nginx.ingress.kubernetes.io/auth-response-headers"
OAuthProxyProviderOIDC = "oidc"
OAuthProxyProviderEntraId = "entra-id"
)

// OAuth2Config is implemented by any value that has as MergeWith method
Expand Down
78 changes: 58 additions & 20 deletions pkg/apis/deployment/oauthproxyresourcemanager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ import (
"k8s.io/client-go/tools/cache"
)

const (
oauth2ProxyClientSecretEnvironmentVariable = "OAUTH2_PROXY_CLIENT_SECRET"
oauth2ProxyCookieSecretEnvironmentVariable = "OAUTH2_PROXY_COOKIE_SECRET"
oauth2ProxyRedisPasswordEnvironmentVariable = "OAUTH2_PROXY_REDIS_PASSWORD"
oauth2ProxyEntraIdFederatedTokenAuthEnvironmentVariable = "OAUTH2_PROXY_ENTRA_ID_FEDERATED_TOKEN_AUTH"
)

// NewOAuthProxyResourceManager creates a new OAuthProxyResourceManager
func NewOAuthProxyResourceManager(rd *v1.RadixDeployment, rr *v1.RadixRegistration, kubeutil *kube.Kube, oauth2DefaultConfig defaults.OAuth2Config, ingressAnnotationProviders []ingress.AnnotationProvider, oauth2ProxyDockerImage string) AuxiliaryResourceManager {

Expand Down Expand Up @@ -255,6 +262,12 @@ func (o *oauthProxyResourceManager) install(ctx context.Context, component v1.Ra
return err
}

if err := createOrUpdateOAuthProxyServiceAccount(ctx, o.kubeutil, o.rd, component); err != nil {
return fmt.Errorf("failed to create OAuth proxy service account: %w", err)
}
if err := garbageCollectServiceAccountNoLongerInSpecForOAuthProxyComponent(ctx, o.kubeutil, o.rd, component); err != nil {
return fmt.Errorf("failed to garbage collect service account no longer in spec for OAuth proxy component: %w", err)
}
return o.createOrUpdateDeployment(ctx, component)
}

Expand All @@ -272,6 +285,10 @@ func (o *oauthProxyResourceManager) uninstall(ctx context.Context, component v1.
return err
}

if err := deleteOAuthProxyServiceAccounts(ctx, o.kubeutil, o.rd.Namespace, component); err != nil {
return err
}

if err := o.deleteSecrets(ctx, component); err != nil {
return err
}
Expand Down Expand Up @@ -450,26 +467,28 @@ func (o *oauthProxyResourceManager) createOrUpdateService(ctx context.Context, c

func (o *oauthProxyResourceManager) createOrUpdateSecret(ctx context.Context, component v1.RadixCommonDeployComponent) error {
secretName := utils.GetAuxiliaryComponentSecretName(component.GetName(), defaults.OAuthProxyAuxiliaryComponentSuffix)
secret, err := o.kubeutil.GetSecret(ctx, o.rd.Namespace, secretName)

existingSecret, err := o.kubeutil.GetSecret(ctx, o.rd.Namespace, secretName)
if err != nil {
if !kubeerrors.IsNotFound(err) {
return err
}
secret, err = o.buildSecretSpec(component)
secret, err := buildOAuthProxySecret(o.rd.Spec.AppName, component)
if err != nil {
return err
}
} else {
oauthutil.MergeAuxComponentResourceLabels(secret, o.rd.Spec.AppName, component)
if component.GetAuthentication().OAuth2.SessionStoreType != v1.SessionStoreRedis {
if secret.Data != nil && len(secret.Data[defaults.OAuthRedisPasswordKeyName]) > 0 {
delete(secret.Data, defaults.OAuthRedisPasswordKeyName)
}
}
_, err = o.kubeutil.CreateSecret(ctx, o.rd.Namespace, secret)
return err
}

_, err = o.kubeutil.ApplySecret(ctx, o.rd.Namespace, secret) //nolint:staticcheck // must be updated to use UpdateSecret or CreateSecret
secret := existingSecret.DeepCopy()
oauthutil.MergeAuxComponentResourceLabels(secret, o.rd.Spec.AppName, component)
if _, ok := secret.Data[defaults.OAuthRedisPasswordKeyName]; ok && component.GetAuthentication().GetOAuth2().GetSessionStoreType() != v1.SessionStoreRedis {
delete(secret.Data, defaults.OAuthRedisPasswordKeyName)
}
if _, ok := secret.Data[defaults.OAuthClientSecretKeyName]; ok && component.GetAuthentication().GetOAuth2().GetUseAzureIdentity() {
delete(secret.Data, defaults.OAuthClientSecretKeyName)
}
_, err = o.kubeutil.UpdateSecret(ctx, existingSecret, secret)
return err
}

Expand Down Expand Up @@ -537,7 +556,7 @@ func (o *oauthProxyResourceManager) getRoleAndRoleBindingName(prefix, componentN
return fmt.Sprintf("%s-%s", prefix, deploymentName)
}

func (o *oauthProxyResourceManager) buildSecretSpec(component v1.RadixCommonDeployComponent) (*corev1.Secret, error) {
func buildOAuthProxySecret(appName string, component v1.RadixCommonDeployComponent) (*corev1.Secret, error) {
secretName := utils.GetAuxiliaryComponentSecretName(component.GetName(), defaults.OAuthProxyAuxiliaryComponentSuffix)

secret := &corev1.Secret{
Expand All @@ -547,8 +566,8 @@ func (o *oauthProxyResourceManager) buildSecretSpec(component v1.RadixCommonDepl
},
Data: make(map[string][]byte),
}
oauthutil.MergeAuxComponentResourceLabels(secret, o.rd.Spec.AppName, component)
cookieSecret, err := o.generateRandomCookieSecret()
oauthutil.MergeAuxComponentResourceLabels(secret, appName, component)
cookieSecret, err := generateRandomCookieSecret()
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -580,7 +599,7 @@ func (o *oauthProxyResourceManager) buildServiceSpec(component v1.RadixCommonDep
return service
}

func (o *oauthProxyResourceManager) generateRandomCookieSecret() ([]byte, error) {
func generateRandomCookieSecret() ([]byte, error) {
randomBytes := commonutils.GenerateRandomKey(32)
// Extra check to make sure correct number of bytes are returned for the random key
if len(randomBytes) != 32 {
Expand Down Expand Up @@ -674,7 +693,13 @@ func (o *oauthProxyResourceManager) getDesiredDeployment(component v1.RadixCommo
},
},
}

if component.GetAuthentication().GetOAuth2().GetUseAzureIdentity() {
desiredDeployment.Spec.Template.Labels = radixlabels.Merge(
desiredDeployment.Spec.Template.GetLabels(),
radixlabels.ForPodWithRadixIdentity(component.GetIdentity()),
)
desiredDeployment.Spec.Template.Spec.ServiceAccountName = utils.GetOAuthProxyServiceAccountName(component.GetName())
}
oauthutil.MergeAuxComponentResourceLabels(desiredDeployment, o.rd.Spec.AppName, component)
return desiredDeployment, nil
}
Expand All @@ -701,7 +726,7 @@ func (o *oauthProxyResourceManager) getEnvVars(component v1.RadixCommonDeployCom
}

// oauth2-proxy env-vars
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_PROVIDER", Value: "oidc"})
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_PROVIDER", Value: getOAuthProxyProvider(oauth)})
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_COOKIE_HTTPONLY", Value: "true"})
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_COOKIE_SECURE", Value: "true"})
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_PASS_BASIC_AUTH", Value: "false"})
Expand All @@ -710,10 +735,16 @@ func (o *oauthProxyResourceManager) getEnvVars(component v1.RadixCommonDeployCom
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL", Value: "true"})
envVars = append(envVars, corev1.EnvVar{Name: "OAUTH2_PROXY_HTTP_ADDRESS", Value: fmt.Sprintf("%s://:%v", "http", defaults.OAuthProxyPortNumber)})
secretName := utils.GetAuxiliaryComponentSecretName(component.GetName(), defaults.OAuthProxyAuxiliaryComponentSuffix)
envVars = append(envVars, o.createEnvVarWithSecretRef("OAUTH2_PROXY_COOKIE_SECRET", secretName, defaults.OAuthCookieSecretKeyName))
envVars = append(envVars, o.createEnvVarWithSecretRef("OAUTH2_PROXY_CLIENT_SECRET", secretName, defaults.OAuthClientSecretKeyName))
envVars = append(envVars, o.createEnvVarWithSecretRef(oauth2ProxyCookieSecretEnvironmentVariable, secretName, defaults.OAuthCookieSecretKeyName))

if oauth.GetUseAzureIdentity() {
envVars = append(envVars, corev1.EnvVar{Name: oauth2ProxyEntraIdFederatedTokenAuthEnvironmentVariable, Value: "true"})
} else {
envVars = append(envVars, o.createEnvVarWithSecretRef(oauth2ProxyClientSecretEnvironmentVariable, secretName, defaults.OAuthClientSecretKeyName))
}

if oauth.SessionStoreType == v1.SessionStoreRedis {
envVars = append(envVars, o.createEnvVarWithSecretRef("OAUTH2_PROXY_REDIS_PASSWORD", secretName, defaults.OAuthRedisPasswordKeyName))
envVars = append(envVars, o.createEnvVarWithSecretRef(oauth2ProxyRedisPasswordEnvironmentVariable, secretName, defaults.OAuthRedisPasswordKeyName))
}

addEnvVarIfSet("OAUTH2_PROXY_CLIENT_ID", oauth.ClientID)
Expand Down Expand Up @@ -751,6 +782,13 @@ func (o *oauthProxyResourceManager) getEnvVars(component v1.RadixCommonDeployCom
return envVars
}

func getOAuthProxyProvider(oauth *v1.OAuth2) string {
if oauth.GetUseAzureIdentity() {
return defaults.OAuthProxyProviderEntraId
}
return defaults.OAuthProxyProviderOIDC
}

func (o *oauthProxyResourceManager) createEnvVarWithSecretRef(envVarName, secretName, key string) corev1.EnvVar {
return corev1.EnvVar{
Name: envVarName,
Expand Down
Loading
Loading