-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RBAC auth and CA controller to Theia manager #113
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM. Just some nits.
klog.Infof("Starting CACertController") | ||
defer klog.Infof("Shutting down CACertController") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use klog.InfoS
instead of klog.Infof
? Same suggestion for the other logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done. fixed other occurrences as well.
/theia-test-e2e |
This change adds k8s auth delegation to theia manager, and adds template of cli service account / cluster role to allow access for specified API groups and resources. A SA toekn secret is also added that can be used for CLI to auth with Theia manager. Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
This change adds certificate controller to Theia manager. The public key of API server TLS in case of self-signed, or CA cert in case of user provided TLS, will be exposed to clients via configmap "theia-ca" in flow-visibility namespace. This will allow cURL or client requests to be made in "secure" fashion if the ca cert is added to trust chain. The configmap will be updated when user provided TLS bundle is changed, or the self-signed cert is rotated upon expiration. Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
/theia-test-e2e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR aims to enable Theia manager API server access in a secured and authenticated fashion, which brings in the following changes:
token
fromtheia-cli-account-token
should be set asAuthorization: Bearer
in HTTP header when making requests.theia-ca
. When adding theca.crt
in the configmap to trust chain, HTTPs requests can be made in "secure" fashion.To test these out, after Theia manager from this branch is deployed and running:
TOKEN=$(kubectl get secret theia-cli-account-token -n flow-visibility -o json | jq -Mr '.data.token' | base64 -d)
kubectl get cm theia-ca -n flow-visibility -o jsonpath='{.data.ca\.crt}' > ca-cert.pem
curl -vvv --cacert ca-cert.pem https://theia-manager.flow-visibility.svc:11347/apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations/pr-test --header "Authorization: Bearer $TOKEN" --resolve theia-manager.flow-visibility.svc:11347:<ClusterIPServiceAddr>
curl -vvv --cacert cert.pem https://localhost:<LocalForwardPort>/apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations/pr-test --header "Authorization: Bearer $TOKEN"