Skip to content

Commit

Permalink
Merge pull request red-hat-storage#2366 from rchikatw/onboarding
Browse files Browse the repository at this point in the history
added changes to oauth proxy config
  • Loading branch information
openshift-merge-bot[bot] authored Jan 4, 2024
2 parents fba0390 + aeb89dd commit 63ee4f1
Show file tree
Hide file tree
Showing 10 changed files with 89 additions and 19 deletions.
3 changes: 3 additions & 0 deletions config/rbac/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ resources:
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
- oauth_proxy_role.yaml
- oauth_proxy_role_binding.yaml
- ux_backend_sa.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
Expand Down
13 changes: 13 additions & 0 deletions config/rbac/oauth_proxy_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: oauth-proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]
12 changes: 12 additions & 0 deletions config/rbac/oauth_proxy_role_binding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oauth-proxy-role-binding
subjects:
- kind: ServiceAccount
name: ux-backend-server
namespace: openshift-storage
roleRef:
kind: ClusterRole
name: oauth-proxy-role
apiGroup: rbac.authorization.k8s.io
File renamed without changes.
14 changes: 14 additions & 0 deletions deploy/csv-templates/ocs-operator.csv.yaml.in
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,20 @@ spec:
verbs:
- '*'
serviceAccountName: ocs-operator
- rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
serviceAccountName: ux-backend-server
deployments:
- name: ocs-operator
spec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2280,6 +2280,20 @@ spec:
verbs:
- '*'
serviceAccountName: ocs-operator
- rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
serviceAccountName: ux-backend-server
- rules:
- apiGroups:
- ""
Expand Down Expand Up @@ -3079,8 +3093,6 @@ spec:
value: quay.io/ocs-dev/ocs-operator:latest
- name: ONBOARDING_SECRET_GENERATOR_IMAGE
value: quay.io/ocs-dev/ocs-operator:latest
- name: UX_BACKEND_SERVER_IMAGE
value: quay.io/ocs-dev/ocs-operator:latest
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
Expand Down Expand Up @@ -3277,6 +3289,7 @@ spec:
env:
- name: ONBOARDING_TOKEN_LIFETIME
- name: UX_BACKEND_PORT
- name: TLS_ENABLED
image: quay.io/ocs-dev/ocs-operator:latest
imagePullPolicy: IfNotPresent
name: ux-backend-server
Expand All @@ -3293,11 +3306,12 @@ spec:
- -https-address=:8888
- -http-address=
- -email-domain=*
- -upstream=https://localhost:8080/onboarding-tokens
- -upstream=http://localhost:8080/
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=ux-backend-server
- -openshift-delegate-urls={"/":{"resource":"StorageCluster","namespace":"openshift-storage","verb":"create"}}
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
image: quay.io/openshift/origin-oauth-proxy:latest
imagePullPolicy: IfNotPresent
Expand Down
2 changes: 1 addition & 1 deletion hack/source-manifests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ function gen_ocs_csv() {
pushd config/manager
$KUSTOMIZE edit set image ocs-dev/ocs-operator="$OCS_IMAGE"
popd
$KUSTOMIZE build config/manifests/ocs-operator | $OPERATOR_SDK generate bundle -q --overwrite=false --output-dir deploy/ocs-operator --kustomize-dir config/manifests/ocs-operator --package ocs-operator --version "$CSV_VERSION"
$KUSTOMIZE build config/manifests/ocs-operator | $OPERATOR_SDK generate bundle -q --overwrite=false --output-dir deploy/ocs-operator --kustomize-dir config/manifests/ocs-operator --package ocs-operator --version "$CSV_VERSION" --extra-service-accounts=ux-backend-server
mv deploy/ocs-operator/manifests/*clusterserviceversion.yaml $OCS_CSV
cp config/crd/bases/* $ocs_crds_outdir
}
Expand Down
4 changes: 0 additions & 4 deletions rbac/ux_backend_sa.yaml

This file was deleted.

29 changes: 23 additions & 6 deletions services/ux-backend/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
type serverConfig struct {
listenPort int
tokenLifetimeInHours int
tlsEnabled bool
}

func loadAndValidateServerConfig() (*serverConfig, error) {
Expand All @@ -41,6 +42,15 @@ func loadAndValidateServerConfig() (*serverConfig, error) {
return nil, fmt.Errorf("malformed user-defined listening port %s, %v", listenPortAsString, err)
}

defaultTLSEnabled := false
tlsEnabledAsString := os.Getenv("TLS_ENABLED")
if tlsEnabledAsString == "" {
klog.Infof("No user-defined TLS enabled value provided, defaulting to %t ", defaultTLSEnabled)
config.tlsEnabled = defaultTLSEnabled
} else if config.tlsEnabled, err = strconv.ParseBool(tlsEnabledAsString); err != nil {
return nil, fmt.Errorf("malformed user-defined TLS Enabled value %s, %v", tlsEnabledAsString, err)
}

return &config, nil
}

Expand All @@ -60,11 +70,18 @@ func main() {

klog.Info("ux backend server listening on port ", config.listenPort)

log.Fatal(http.ListenAndServeTLS(
fmt.Sprintf("%s%d", ":", config.listenPort),
"/etc/tls/private/tls.crt",
"/etc/tls/private/tls.key",
nil,
))
addr := fmt.Sprintf("%s%d", ":", config.listenPort)
if config.tlsEnabled {
klog.Info("Server configured to run with TLS")
err = http.ListenAndServeTLS(addr,
"/etc/tls/private/tls.crt",
"/etc/tls/private/tls.key",
nil,
)
} else {
klog.Info("Server configured to run without TLS")
err = http.ListenAndServe(addr, nil)
}
log.Fatal(err)

}
11 changes: 6 additions & 5 deletions tools/csv-merger/csv-merger.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,6 @@ func unmarshalCSV(filePath string) *csvv1.ClusterServiceVersion {
Name: "ONBOARDING_SECRET_GENERATOR_IMAGE",
Value: *ocsContainerImage,
},
{
Name: "UX_BACKEND_SERVER_IMAGE",
Value: *ocsContainerImage,
},
{
Name: util.OperatorNamespaceEnvVar,
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -980,6 +976,10 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
Name: "UX_BACKEND_PORT",
Value: os.Getenv("UX_BACKEND_PORT"),
},
{
Name: "TLS_ENABLED",
Value: os.Getenv("TLS_ENABLED"),
},
},
},
{
Expand All @@ -999,11 +999,12 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
Args: []string{"-provider=openshift",
"-https-address=:8888",
"-http-address=", "-email-domain=*",
"-upstream=https://localhost:8080/onboarding-tokens",
"-upstream=http://localhost:8080/",
"-tls-cert=/etc/tls/private/tls.crt",
"-tls-key=/etc/tls/private/tls.key",
"-cookie-secret-file=/etc/proxy/secrets/session_secret",
"-openshift-service-account=ux-backend-server",
`-openshift-delegate-urls={"/":{"resource":"StorageCluster","namespace":"openshift-storage","verb":"create"}}`,
"-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"},
Ports: []corev1.ContainerPort{
{
Expand Down

0 comments on commit 63ee4f1

Please sign in to comment.