diff --git a/deploy/crds/noobaa.io_noobaas.yaml b/deploy/crds/noobaa.io_noobaas.yaml index 8bf233710..e14792b93 100644 --- a/deploy/crds/noobaa.io_noobaas.yaml +++ b/deploy/crds/noobaa.io_noobaas.yaml @@ -996,6 +996,10 @@ spec: nullable: true type: object x-kubernetes-preserve-unknown-fields: true + authProxyImage: + description: AuthProxyImage (optional) overrides the default image + for the auth-proxy + type: string autoscaler: description: Configuration related to autoscaling properties: diff --git a/deploy/internal/deployment-endpoint.yaml b/deploy/internal/deployment-endpoint.yaml index 36fe437e5..445f51ed7 100644 --- a/deploy/internal/deployment-endpoint.yaml +++ b/deploy/internal/deployment-endpoint.yaml @@ -54,6 +54,10 @@ spec: secret: secretName: noobaa-server optional: true + - name: auth-endpoint + secret: + secretName: endpoint-auth-proxy + optional: true containers: - name: endpoint image: NOOBAA_CORE_IMAGE @@ -161,6 +165,33 @@ spec: tcpSocket: port: 6001 # ready when s3 port is open timeoutSeconds: 5 + - name: oauth-proxy + image: quay.io/openshift/origin-oauth-proxy:4.16 + imagePullPolicy: IfNotPresent + ports: + - name: endpoint-proxy + containerPort: 7003 + protocol: TCP + args: + - -https-address=:7003 + - -provider=openshift + - -email-domain=* + - -openshift-service-account=noobaa-endpoint + - -client-id=system:serviceaccount:noobaa:noobaa-endpoint + - -upstream=http://localhost:7004 + - -tls-cert=/etc/endpoint-tls/tls.crt + - -tls-key=/etc/endpoint-tls/tls.key + - -cookie-secret-file=/etc/proxy-secrets/session_secret + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -openshift-sar={"resource":"services","name":"s3","namespace":"noobaa","verb":"get"} + - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}} + volumeMounts: + - name: s3-secret + mountPath: /etc/endpoint-tls + readOnly: true + - name: auth-endpoint + mountPath: /etc/proxy-secrets + readOnly: true securityContext: runAsUser: 0 runAsGroup: 0 diff --git a/deploy/internal/route-mgmt.yaml b/deploy/internal/route-mgmt.yaml index df4e04ef3..0e2350e69 100644 --- a/deploy/internal/route-mgmt.yaml +++ b/deploy/internal/route-mgmt.yaml @@ -6,7 +6,7 @@ metadata: name: noobaa-mgmt spec: port: - targetPort: mgmt-https + targetPort: mgmt-proxy tls: termination: reencrypt insecureEdgeTerminationPolicy: Redirect diff --git a/deploy/internal/secret-core-sa-token.yaml b/deploy/internal/secret-core-sa-token.yaml new file mode 100644 index 000000000..fd3c7971c --- /dev/null +++ b/deploy/internal/secret-core-sa-token.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret-core-sa-token + annotations: + kubernetes.io/service-account.name: "noobaa-core" +type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/deploy/internal/service-mgmt.yaml b/deploy/internal/service-mgmt.yaml index 1cbc293e7..a80f828e3 100644 --- a/deploy/internal/service-mgmt.yaml +++ b/deploy/internal/service-mgmt.yaml @@ -26,3 +26,7 @@ spec: name: bg-https - port: 8446 name: hosted-agents-https + - name: mgmt-proxy + port: 8447 + protocol: TCP + targetPort: mgmt-proxy diff --git a/deploy/internal/service-s3.yaml b/deploy/internal/service-s3.yaml index 810fcce55..f57437e51 100644 --- a/deploy/internal/service-s3.yaml +++ b/deploy/internal/service-s3.yaml @@ -23,4 +23,5 @@ spec: name: md-https - port: 7004 name: metrics + targetPort: endpoint-proxy diff --git a/deploy/internal/statefulset-core.yaml b/deploy/internal/statefulset-core.yaml index dc6a4aecb..c3dc4a860 100644 --- a/deploy/internal/statefulset-core.yaml +++ b/deploy/internal/statefulset-core.yaml @@ -43,10 +43,42 @@ spec: path: token # For testing purposes change the audience to api audience: openshift + - name: secret-mgmt-auth-proxy + secret: + defaultMode: 420 + secretName: mgmt-auth-proxy securityContext: runAsUser: 10001 runAsGroup: 0 containers: + - name: oauth-proxy + #image: quay.io/openshift/origin-oauth-proxy:4.16 + image: NOOBAA_AUTH_PROXY_IMAGE + imagePullPolicy: IfNotPresent + ports: + - name: mgmt-proxy + containerPort: 8447 + protocol: TCP + args: + - -https-address=:8447 + - -provider=openshift + - -email-domain=* + - -client-id=system:serviceaccount:noobaa:noobaa-core + - -openshift-service-account=noobaa-core + - -upstream=http://localhost:8080 + - -tls-cert=/etc/tls/private/tls.crt + - -tls-key=/etc/tls/private/tls.key + - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -openshift-sar={"resource":"services","name":"noobaa-mgmt","namespace":"noobaa","verb":"get"} + - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}} + volumeMounts: + - mountPath: /etc/tls/private + name: mgmt-secret + readOnly: true + - mountPath: /etc/proxy/secrets + name: secret-mgmt-auth-proxy + readOnly: true #----------------# # CORE CONTAINER # #----------------# diff --git a/deploy/role_binding_core_auth_delegator.yaml b/deploy/role_binding_core_auth_delegator.yaml new file mode 100644 index 000000000..f8fadb25a --- /dev/null +++ b/deploy/role_binding_core_auth_delegator.yaml @@ -0,0 +1,11 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: core-auth-proxy-auth-delegator +subjects: + - kind: ServiceAccount + name: noobaa-core +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'system:auth-delegator' \ No newline at end of file diff --git a/deploy/role_core.yaml b/deploy/role_core.yaml index 59fc98775..92da95ac2 100644 --- a/deploy/role_core.yaml +++ b/deploy/role_core.yaml @@ -45,3 +45,13 @@ rules: - securitycontextconstraints verbs: - use +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - update + - list + - watch \ No newline at end of file diff --git a/deploy/service_account_core.yaml b/deploy/service_account_core.yaml index 26e540604..1af744a27 100644 --- a/deploy/service_account_core.yaml +++ b/deploy/service_account_core.yaml @@ -2,4 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: noobaa-core - + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.noobaa-core: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"noobaa-mgmt"}}' diff --git a/deploy/service_account_endpoint.yaml b/deploy/service_account_endpoint.yaml index 884de51f2..cb8845f73 100644 --- a/deploy/service_account_endpoint.yaml +++ b/deploy/service_account_endpoint.yaml @@ -2,3 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: noobaa-endpoint + annotations: + serviceaccounts.openshift.io/oauth-redirecturi.endpoint: "//:7004" diff --git a/pkg/apis/noobaa/v1alpha1/noobaa_types.go b/pkg/apis/noobaa/v1alpha1/noobaa_types.go index 80a9877df..8dd541134 100644 --- a/pkg/apis/noobaa/v1alpha1/noobaa_types.go +++ b/pkg/apis/noobaa/v1alpha1/noobaa_types.go @@ -85,6 +85,10 @@ type NooBaaSpec struct { // +optional DBImage *string `json:"dbImage,omitempty"` + // AuthProxyImage (optional) overrides the default image for the auth-proxy + // +optional + AuthProxyImage *string `json:"authProxyImage,omitempty"` + // DBConf (optional) overrides the default postgresql db config // +optional DBConf *string `json:"dbConf,omitempty"` diff --git a/pkg/apis/noobaa/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/noobaa/v1alpha1/zz_generated.deepcopy.go index 19151a655..d5c0a9582 100644 --- a/pkg/apis/noobaa/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/noobaa/v1alpha1/zz_generated.deepcopy.go @@ -1201,6 +1201,11 @@ func (in *NooBaaSpec) DeepCopyInto(out *NooBaaSpec) { *out = new(string) **out = **in } + if in.AuthProxyImage != nil { + in, out := &in.AuthProxyImage, &out.AuthProxyImage + *out = new(string) + **out = **in + } if in.DBConf != nil { in, out := &in.DBConf, &out.DBConf *out = new(string) diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go index 954687387..3da43c876 100644 --- a/pkg/bundle/deploy.go +++ b/pkg/bundle/deploy.go @@ -1423,7 +1423,7 @@ spec: status: {} ` -const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "1637077ca2e0d584cd4203469f809b215af45ee4ba5358a283bbd7a5bf1b573e" +const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "063ad30a1b9c20051dd92a37442bb6e317239cb216aeae6b6542a2d1687578b3" const File_deploy_crds_noobaa_io_noobaas_yaml = `--- apiVersion: apiextensions.k8s.io/v1 @@ -2423,6 +2423,10 @@ spec: nullable: true type: object x-kubernetes-preserve-unknown-fields: true + authProxyImage: + description: AuthProxyImage (optional) overrides the default image + for the auth-proxy + type: string autoscaler: description: Configuration related to autoscaling properties: @@ -3980,7 +3984,7 @@ data: shared_preload_libraries = 'pg_stat_statements' ` -const Sha256_deploy_internal_deployment_endpoint_yaml = "e76dc7c81a02fb396263e61311b2bc0d765f32377d1b9d2ec3f435fced2fb0c3" +const Sha256_deploy_internal_deployment_endpoint_yaml = "8edb081f183b0b40940697078d011bbae03a72c29868460580e5a8dce0701083" const File_deploy_internal_deployment_endpoint_yaml = `apiVersion: apps/v1 kind: Deployment @@ -4038,6 +4042,10 @@ spec: secret: secretName: noobaa-server optional: true + - name: auth-endpoint + secret: + secretName: endpoint-auth-proxy + optional: true containers: - name: endpoint image: NOOBAA_CORE_IMAGE @@ -4145,6 +4153,33 @@ spec: tcpSocket: port: 6001 # ready when s3 port is open timeoutSeconds: 5 + - name: oauth-proxy + image: quay.io/openshift/origin-oauth-proxy:4.16 + imagePullPolicy: IfNotPresent + ports: + - name: endpoint-proxy + containerPort: 7003 + protocol: TCP + args: + - -https-address=:7003 + - -provider=openshift + - -email-domain=* + - -openshift-service-account=noobaa-endpoint + - -client-id=system:serviceaccount:noobaa:noobaa-endpoint + - -upstream=http://localhost:7004 + - -tls-cert=/etc/endpoint-tls/tls.crt + - -tls-key=/etc/endpoint-tls/tls.key + - -cookie-secret-file=/etc/proxy-secrets/session_secret + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -openshift-sar={"resource":"services","name":"s3","namespace":"noobaa","verb":"get"} + - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}} + volumeMounts: + - name: s3-secret + mountPath: /etc/endpoint-tls + readOnly: true + - name: auth-endpoint + mountPath: /etc/proxy-secrets + readOnly: true securityContext: runAsUser: 0 runAsGroup: 0 @@ -4785,7 +4820,7 @@ spec: storage: 30Gi ` -const Sha256_deploy_internal_route_mgmt_yaml = "1d462d165da5a660b85900e46a11e4d1a53e1498bf9d086b4b68afdceab08394" +const Sha256_deploy_internal_route_mgmt_yaml = "102ac697ed0c3211bb83dc7b706ffe864040ab942c93876532d209782b1643cb" const File_deploy_internal_route_mgmt_yaml = `apiVersion: route.openshift.io/v1 kind: Route @@ -4795,7 +4830,7 @@ metadata: name: noobaa-mgmt spec: port: - targetPort: mgmt-https + targetPort: mgmt-proxy tls: termination: reencrypt insecureEdgeTerminationPolicy: Redirect @@ -4849,6 +4884,16 @@ spec: wildcardPolicy: None ` +const Sha256_deploy_internal_secret_core_sa_token_yaml = "0250209bc91e992e120767a0ad455000554fcbb617f08edf69022141741ae4a4" + +const File_deploy_internal_secret_core_sa_token_yaml = `apiVersion: v1 +kind: Secret +metadata: + name: secret-core-sa-token + annotations: + kubernetes.io/service-account.name: "noobaa-core" +type: kubernetes.io/service-account-token` + const Sha256_deploy_internal_secret_empty_yaml = "d63aaeaf7f9c7c1421fcc138ee2f31d2461de0dec2f68120bc9cce367d4d4186" const File_deploy_internal_secret_empty_yaml = `apiVersion: v1 @@ -4881,7 +4926,7 @@ spec: name: postgres ` -const Sha256_deploy_internal_service_mgmt_yaml = "fa5f052fb360e6893fc446a318413a6f494a8610706ae7e36ff985b3b3a5c070" +const Sha256_deploy_internal_service_mgmt_yaml = "bf5cb53bd93f440fd746040b842ddb9d2f63110c1b604b1ce6b0cd8e57c8f4ff" const File_deploy_internal_service_mgmt_yaml = `apiVersion: v1 kind: Service @@ -4911,9 +4956,13 @@ spec: name: bg-https - port: 8446 name: hosted-agents-https + - name: mgmt-proxy + port: 8447 + protocol: TCP + targetPort: mgmt-proxy ` -const Sha256_deploy_internal_service_s3_yaml = "df7d8c8ee81b820678b7d8648b26c6cf86da6be00caedad052c3848db5480c37" +const Sha256_deploy_internal_service_s3_yaml = "7ab8754a89b1408fb12b6387b2185c54738944c5c88018731001bf7374c48e4e" const File_deploy_internal_service_s3_yaml = `apiVersion: v1 kind: Service @@ -4940,6 +4989,7 @@ spec: name: md-https - port: 7004 name: metrics + targetPort: endpoint-proxy ` @@ -5040,7 +5090,7 @@ spec: noobaa-s3-svc: "true" ` -const Sha256_deploy_internal_statefulset_core_yaml = "14226b25028637a7176dbdb4a6fa6e90a9e63cddd5f39cbe0c044f433b0a4764" +const Sha256_deploy_internal_statefulset_core_yaml = "bd1c369ae3b87b3f481b8b359a03bae1b6a37110ae105d18c23ae8dade12dde7" const File_deploy_internal_statefulset_core_yaml = `apiVersion: apps/v1 kind: StatefulSet @@ -5087,10 +5137,42 @@ spec: path: token # For testing purposes change the audience to api audience: openshift + - name: secret-mgmt-auth-proxy + secret: + defaultMode: 420 + secretName: mgmt-auth-proxy securityContext: runAsUser: 10001 runAsGroup: 0 containers: + - name: oauth-proxy + #image: quay.io/openshift/origin-oauth-proxy:4.16 + image: NOOBAA_AUTH_PROXY_IMAGE + imagePullPolicy: IfNotPresent + ports: + - name: mgmt-proxy + containerPort: 8447 + protocol: TCP + args: + - -https-address=:8447 + - -provider=openshift + - -email-domain=* + - -client-id=system:serviceaccount:noobaa:noobaa-core + - -openshift-service-account=noobaa-core + - -upstream=http://localhost:8080 + - -tls-cert=/etc/tls/private/tls.crt + - -tls-key=/etc/tls/private/tls.key + - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -openshift-sar={"resource":"services","name":"noobaa-mgmt","namespace":"noobaa","verb":"get"} + - -openshift-delegate-urls={"/":{"resource":"services","namespace":"noobaa","verb":"get"}} + volumeMounts: + - mountPath: /etc/tls/private + name: mgmt-secret + readOnly: true + - mountPath: /etc/proxy/secrets + name: secret-mgmt-auth-proxy + readOnly: true #----------------# # CORE CONTAINER # #----------------# @@ -6435,6 +6517,20 @@ subjects: name: noobaa-core ` +const Sha256_deploy_role_binding_core_auth_delegator_yaml = "e5c18c4062c8cbc75f58edd4dc9220872060df6dfb127ce48d85953c2603230c" + +const File_deploy_role_binding_core_auth_delegator_yaml = `kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: core-auth-proxy-auth-delegator +subjects: + - kind: ServiceAccount + name: noobaa-core +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'system:auth-delegator'` + const Sha256_deploy_role_binding_db_yaml = "3a4872fcde50e692ae52bbd208a8e1d115c574431c25a9644a7c820ae13c7748" const File_deploy_role_binding_db_yaml = `apiVersion: rbac.authorization.k8s.io/v1 @@ -6499,7 +6595,7 @@ subjects: name: custom-metrics-prometheus-adapter ` -const Sha256_deploy_role_core_yaml = "c3cfb5b87298224fd6e4e4bff32d3948ad168a0110b8569118a260739ef5d5e7" +const Sha256_deploy_role_core_yaml = "f7dc765d2bd2996721ea9ad79f712066654213e47ea9d37dc4a78d849f4f7ada" const File_deploy_role_core_yaml = `apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -6548,7 +6644,16 @@ rules: - securitycontextconstraints verbs: - use -` +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - update + - list + - watch` const Sha256_deploy_role_db_yaml = "bc7eeca1125dfcdb491ab8eb69e3dcbce9f004a467b88489f85678b3c6872cce" @@ -6797,13 +6902,14 @@ metadata: serviceaccounts.openshift.io/oauth-redirectreference.noobaa-mgmt: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"noobaa-mgmt"}}' ` -const Sha256_deploy_service_account_core_yaml = "7e8f1d49bdba0969a33e8acc676cc5e2d50af9f4c94112b6de07548f3f704c24" +const Sha256_deploy_service_account_core_yaml = "fb7c5eebfa0a0a7447e20c97ed10a6ef7861e02b213f262be9d0c775f9552915" const File_deploy_service_account_core_yaml = `apiVersion: v1 kind: ServiceAccount metadata: name: noobaa-core - + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.noobaa-core: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"noobaa-mgmt"}}' ` const Sha256_deploy_service_account_db_yaml = "fcbccd7518ee5a426b071a3acc85d22142e27c5628b61ce4292cc393d2ecac31" @@ -6814,12 +6920,14 @@ metadata: name: noobaa-db ` -const Sha256_deploy_service_account_endpoint_yaml = "c2331e027114658e48a2bd1139b00cce06dfd834aa682eae923de54874a6baed" +const Sha256_deploy_service_account_endpoint_yaml = "74f0557416e82cead0add0041d946f6511e32674374bcdca57bf0e7dd71494f5" const File_deploy_service_account_endpoint_yaml = `apiVersion: v1 kind: ServiceAccount metadata: name: noobaa-endpoint + annotations: + serviceaccounts.openshift.io/oauth-redirecturi.endpoint: "//:7004" ` const Sha256_deploy_service_account_ui_yaml = "d6cb0e92fdb350148399e1ac42bfa640e254bdbb295c9a15dc9edfd4335e73f6" diff --git a/pkg/olm/olm.go b/pkg/olm/olm.go index 05825f423..fc2d9fd03 100644 --- a/pkg/olm/olm.go +++ b/pkg/olm/olm.go @@ -333,6 +333,10 @@ func GenerateCSV(opConf *operator.Conf, csvParams *generateCSVParams) *operv1.Cl Name: "NOOBAA_PSQL_12_IMAGE", Value: options.Psql12Image, }, + corev1.EnvVar{ + Name: "NOOBAA_AUTH_PROXY_IMAGE", + Value: options.AuthProxyImage, + }, corev1.EnvVar{ Name: "ENABLE_NOOBAA_ADMISSION", Value: "true", diff --git a/pkg/options/options.go b/pkg/options/options.go index 3761647e2..c44846409 100644 --- a/pkg/options/options.go +++ b/pkg/options/options.go @@ -81,6 +81,10 @@ var PostgresMajorVersion = 16 // PostgresInstances is the default number of postgres instances in a managed postgres cluster var PostgresInstances = 2 +// AuthProxyImage is the default oauth-proxy url +// it can be overridden for testing or different registry locations. +var AuthProxyImage = "quay.io/openshift/origin-oauth-proxy:4.16" + // Psql12Image is the default postgres12 db image url // currently it can not be overridden. var Psql12Image = "centos/postgresql-12-centos7" @@ -245,6 +249,10 @@ func init() { &DBImage, "db-image", DBImage, "The database container image", ) + FlagSet.StringVar( + &AuthProxyImage, "auth-proxy-image", + AuthProxyImage, "The auth-proxy constainer image", + ) FlagSet.StringVar( &Psql12Image, "psql-12-image", Psql12Image, "The database old container image", diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go index dc1b8a3ff..ddd791078 100644 --- a/pkg/system/phase2_creating.go +++ b/pkg/system/phase2_creating.go @@ -175,6 +175,12 @@ func (r *Reconciler) ReconcilePhaseCreatingForMainClusters() error { return err } + //Management Auth Proxy changes - start + /*if err := r.ReconcileMgmtAuthProxy(); err != nil { + logrus.Infof("ReconcileMgmtAuthProxySecret @@@@@@@@@@@@ %s", err) + return err + }*/ + if err := r.ReconcileObject(r.CoreApp, r.SetDesiredCoreApp); err != nil { return err } @@ -189,6 +195,39 @@ func (r *Reconciler) ReconcilePhaseCreatingForMainClusters() error { return nil } +// ReconcileMgmtAuthProxySecret set auth related info in secret +func (r *Reconciler) ReconcileMgmtAuthProxy() error { + logrus.Infof("ReconcileMgmtAuthProxySecret %s", r.SecretMgmtAuthProxy.Name) + if err := r.ReconcileObject(r.SecretMgmtAuthProxy, r.SetDesiredSecretMgmtAuthProxy); err != nil { + logrus.Infof("SetDesiredSecretMgmtAuthProxy %s", err) + return err + } + + if err := r.ReconcileObject(r.CoreAuthRoleBinding, r.SetDesiredCoreAuthClusterRoleBinding); err != nil { + logrus.Infof("SetDesiredCoreAuthClusterRoleBinding %s", err) + return err + } + + if err := r.ReconcileObject(r.SecreCoreSAToken, nil); err != nil { + logrus.Infof("SecreCoreSAToken %s", err) + return err + } + return nil +} + +// ReconcileCoreAuthClusterRoleBinding set core auth delegator rolebinding +func (r *Reconciler) SetDesiredCoreAuthClusterRoleBinding() error { + r.Logger.Info("ReconcileCoreAuthClusterRoleBinding") + r.CoreAuthRoleBinding.Subjects[0].Namespace = options.Namespace + return nil +} + +// SetDesiredSecretMgmtAuthProxy set auth related info in admin secret +func (r *Reconciler) SetDesiredSecretMgmtAuthProxy() error { + r.SecretMgmtAuthProxy.StringData["session_secret"] = util.RandomBase64(40) + return nil +} + // SetDesiredServiceAccount updates the ServiceAccount as desired for reconciling func (r *Reconciler) SetDesiredServiceAccount() error { if r.ServiceAccount.Annotations == nil { @@ -647,6 +686,21 @@ func (r *Reconciler) SetDesiredCoreApp() error { }} util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts) } + case "oauth-proxy": + c.Image = GetDesiredAuthProxyImage(r.NooBaa) + var reqCPU, reqMem resource.Quantity + reqCPU, _ = resource.ParseQuantity("100m") + reqMem, _ = resource.ParseQuantity("256Mi") + + logResourceList := corev1.ResourceList{ + corev1.ResourceCPU: reqCPU, + corev1.ResourceMemory: reqMem, + } + c.Resources = corev1.ResourceRequirements{ + Requests: logResourceList, + Limits: logResourceList, + } + } } if r.NooBaa.Spec.ImagePullSecret == nil { diff --git a/pkg/system/reconciler.go b/pkg/system/reconciler.go index 852a57f5e..1ccf2112c 100644 --- a/pkg/system/reconciler.go +++ b/pkg/system/reconciler.go @@ -29,6 +29,7 @@ import ( appsv1 "k8s.io/api/apps/v1" autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -126,6 +127,10 @@ type Reconciler struct { ExternalPgSSLSecret *corev1.Secret BucketNotificationsPVC *corev1.PersistentVolumeClaim + CoreAuthRoleBinding *rbacv1.ClusterRoleBinding + SecretMgmtAuthProxy *corev1.Secret + SecreCoreSAToken *corev1.Secret + // CNPG resources CNPGImageCatalog *cnpgv1.ImageCatalog CNPGCluster *cnpgv1.Cluster @@ -192,6 +197,10 @@ func NewReconciler( KedaScaled: util.KubeObject(bundle.File_deploy_internal_hpa_keda_scaled_object_yaml).(*kedav1alpha1.ScaledObject), AdapterHPA: util.KubeObject(bundle.File_deploy_internal_hpav2_autoscaling_yaml).(*autoscalingv2.HorizontalPodAutoscaler), + CoreAuthRoleBinding: util.KubeObject(bundle.File_deploy_role_binding_core_auth_delegator_yaml).(*rbacv1.ClusterRoleBinding), + SecretMgmtAuthProxy: util.KubeObject(bundle.File_deploy_internal_secret_empty_yaml).(*corev1.Secret), + SecreCoreSAToken: util.KubeObject(bundle.File_deploy_internal_secret_core_sa_token_yaml).(*corev1.Secret), + CNPGImageCatalog: cnpg.GetCnpgImageCatalogObj(req.Namespace, req.Name+pgImageCatalogSuffix), CNPGCluster: cnpg.GetCnpgClusterObj(req.Namespace, req.Name+pgClusterSuffix), } @@ -243,6 +252,10 @@ func NewReconciler( r.BucketLoggingPVC.Namespace = r.Request.Namespace r.BucketNotificationsPVC.Namespace = r.Request.Namespace + //r.CoreAuthRoleBinding.Namespace = r.Request.Namespace + r.SecretMgmtAuthProxy.Namespace = r.Request.Namespace + r.SecreCoreSAToken.Namespace = r.Request.Namespace + // Set Names r.NooBaa.Name = r.Request.Name r.ServiceAccount.Name = r.Request.Name @@ -287,6 +300,7 @@ func NewReconciler( r.AdapterHPA.Name = r.Request.Name + "-hpav2" r.BucketLoggingPVC.Name = r.Request.Name + "-bucket-logging-pvc" r.BucketNotificationsPVC.Name = r.Request.Name + "-bucket-notifications-pvc" + r.SecretMgmtAuthProxy.Name = "mgmt-auth-proxy" // Set the target service for routes. r.RouteMgmt.Spec.To.Name = r.ServiceMgmt.Name diff --git a/pkg/system/system.go b/pkg/system/system.go index 94fc7da5f..ab7db488a 100644 --- a/pkg/system/system.go +++ b/pkg/system/system.go @@ -1304,3 +1304,17 @@ func SetAllowNoobaaDeletion(noobaa *nbv1.NooBaa) error { } return nil } + +// GetDesiredAuthProxyImage returns the desired auth-proxy image according to spec or env or default (in options) +func GetDesiredAuthProxyImage(sys *nbv1.NooBaa) string { + + if sys.Spec.AuthProxyImage != nil { + return *sys.Spec.AuthProxyImage + } + + if os.Getenv("AUTH_PROXY_IMAGE") != "" { + return os.Getenv("AUTH_PROXY_IMAGE") + } + + return options.AuthProxyImage +}