Add RBAC auth and CA controller to Theia manager #113
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yuntanghsu
reviewed
Sep 21, 2022
yanjunz97
reviewed
Sep 28, 2022
Comment on lines
169
to
170
| klog.Infof("Starting CACertController") | ||
| defer klog.Infof("Shutting down CACertController") |
There was a problem hiding this comment.
Use klog.InfoS instead of klog.Infof? Same suggestion for the other logs.
There was a problem hiding this comment.
done. fixed other occurrences as well.
|
/theia-test-e2e |
This change adds k8s auth delegation to theia manager, and adds template of cli service account / cluster role to allow access for specified API groups and resources. A SA toekn secret is also added that can be used for CLI to auth with Theia manager. Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
This change adds certificate controller to Theia manager. The public key of API server TLS in case of self-signed, or CA cert in case of user provided TLS, will be exposed to clients via configmap "theia-ca" in flow-visibility namespace. This will allow cURL or client requests to be made in "secure" fashion if the ca cert is added to trust chain. The configmap will be updated when user provided TLS bundle is changed, or the self-signed cert is rotated upon expiration. Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
|
/theia-test-e2e |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to enable Theia manager API server access in a secured and authenticated fashion, which brings in the following changes:
tokenfromtheia-cli-account-tokenshould be set asAuthorization: Bearerin HTTP header when making requests.theia-ca. When adding theca.crtin the configmap to trust chain, HTTPs requests can be made in "secure" fashion.To test these out, after Theia manager from this branch is deployed and running:
TOKEN=$(kubectl get secret theia-cli-account-token -n flow-visibility -o json | jq -Mr '.data.token' | base64 -d)kubectl get cm theia-ca -n flow-visibility -o jsonpath='{.data.ca\.crt}' > ca-cert.pemcurl -vvv --cacert ca-cert.pem https://theia-manager.flow-visibility.svc:11347/apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations/pr-test --header "Authorization: Bearer $TOKEN" --resolve theia-manager.flow-visibility.svc:11347:<ClusterIPServiceAddr>curl -vvv --cacert cert.pem https://localhost:<LocalForwardPort>/apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations/pr-test --header "Authorization: Bearer $TOKEN"