Authentication for mgmt route and service

deploy/crds/noobaa.io_noobaas.yaml

@@ -996,6 +996,10 @@ spec:
                 nullable: true
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              authProxyImage:
+                description: AuthProxyImage (optional) overrides the default image
+                  for the auth-proxy
+                type: string
               autoscaler:
                 description: Configuration related to autoscaling
                 properties:

deploy/internal/deployment-endpoint.yaml

@@ -54,6 +54,10 @@ spec:
           secret:
             secretName: noobaa-server
             optional: true
+        - name: auth-endpoint
+          secret:
+            secretName: endpoint-auth-proxy
+            optional: true
       containers:
         - name: endpoint
           image: NOOBAA_CORE_IMAGE
@@ -161,6 +165,33 @@ spec:
             tcpSocket:
               port: 6001 # ready when s3 port is open
             timeoutSeconds: 5
+        - name: oauth-proxy
+          image: quay.io/openshift/origin-oauth-proxy:4.16
+          imagePullPolicy: IfNotPresent
+          ports:
+          - name: endpoint-proxy
+            containerPort: 7003
+            protocol: TCP
+          args:
+            - -https-address=:7003
+            - -provider=openshift
+            - -email-domain=*
+            - -openshift-service-account=noobaa-endpoint
+            - -client-id=system:serviceaccount:noobaa:noobaa-endpoint
+            - -upstream=http://localhost:7004
+            - -tls-cert=/etc/endpoint-tls/tls.crt
+            - -tls-key=/etc/endpoint-tls/tls.key
+            - -cookie-secret-file=/etc/proxy-secrets/session_secret
+            - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+            - -openshift-sar={"resource":"services","name":"s3","namespace":"noobaa","verb":"get"}
+            - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}}
+          volumeMounts:
+            - name: s3-secret
+              mountPath: /etc/endpoint-tls
+              readOnly: true
+            - name: auth-endpoint
+              mountPath: /etc/proxy-secrets
+              readOnly: true
       securityContext:
         runAsUser: 0
         runAsGroup: 0

deploy/internal/route-mgmt.yaml

@@ -6,7 +6,7 @@ metadata:
   name: noobaa-mgmt
 spec:
   port:
-    targetPort: mgmt-https
+    targetPort: mgmt-proxy
   tls:
     termination: reencrypt
     insecureEdgeTerminationPolicy: Redirect

deploy/internal/secret-core-sa-token.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-core-sa-token
+  annotations:
+    kubernetes.io/service-account.name: "noobaa-core" 
+type: kubernetes.io/service-account-token

deploy/internal/service-mgmt.yaml

@@ -26,3 +26,7 @@ spec:
       name: bg-https
     - port: 8446
       name: hosted-agents-https
+    - name: mgmt-proxy
+      port: 8447
+      protocol: TCP
+      targetPort: mgmt-proxy

deploy/internal/service-s3.yaml

@@ -23,4 +23,5 @@ spec:
       name: md-https
     - port: 7004
       name: metrics
+      targetPort: endpoint-proxy
 

deploy/internal/statefulset-core.yaml

@@ -43,10 +43,42 @@ spec:
                   path: token
                   # For testing purposes change the audience to api
                   audience: openshift
+        - name: secret-mgmt-auth-proxy
+          secret:
+            defaultMode: 420
+            secretName: mgmt-auth-proxy
       securityContext:
         runAsUser: 10001
         runAsGroup: 0
       containers:
+        - name: oauth-proxy
+          #image: quay.io/openshift/origin-oauth-proxy:4.16
+          image: NOOBAA_AUTH_PROXY_IMAGE
+          imagePullPolicy: IfNotPresent
+          ports:
+          - name: mgmt-proxy
+            containerPort: 8447
+            protocol: TCP
+          args:
+            - -https-address=:8447
+            - -provider=openshift
+            - -email-domain=*
+            - -client-id=system:serviceaccount:noobaa:noobaa-core
+            - -openshift-service-account=noobaa-core
+            - -upstream=http://localhost:8080
+            - -tls-cert=/etc/tls/private/tls.crt
+            - -tls-key=/etc/tls/private/tls.key
+            - -cookie-secret-file=/etc/proxy/secrets/session_secret
+            - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+            - -openshift-sar={"resource":"services","name":"noobaa-mgmt","namespace":"noobaa","verb":"get"}
+            - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}}
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: mgmt-secret
+              readOnly: true
+            - mountPath: /etc/proxy/secrets
+              name: secret-mgmt-auth-proxy
+              readOnly: true
         #----------------#
         # CORE CONTAINER #
         #----------------#

deploy/role_binding_core_auth_delegator.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: core-auth-proxy-auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: noobaa-core
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'

deploy/role_core.yaml

@@ -45,3 +45,13 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - create
+  - update
+  - list
+  - watch

deploy/service_account_core.yaml

@@ -2,4 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: noobaa-core
-
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirectreference.noobaa-core: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"noobaa-mgmt"}}'

deploy/service_account_endpoint.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: noobaa-endpoint
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirecturi.endpoint: "//:7004"

pkg/apis/noobaa/v1alpha1/noobaa_types.go

@@ -85,6 +85,10 @@ type NooBaaSpec struct {
 	// +optional
 	DBImage *string `json:"dbImage,omitempty"`
 
+	// AuthProxyImage (optional) overrides the default image for the auth-proxy
+	// +optional
+	AuthProxyImage *string `json:"authProxyImage,omitempty"`
+
 	// DBConf (optional) overrides the default postgresql db config
 	// +optional
 	DBConf *string `json:"dbConf,omitempty"`