Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(reports): add auth proxy protecting report generators #206

Merged
merged 18 commits into from
Nov 22, 2024
Merged

feat(reports): add auth proxy protecting report generators #206

merged 18 commits into from
Nov 22, 2024

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Oct 31, 2024
edited
Loading

Fixes #204
Fixes #207

  1. Adds an auth proxy container to each report replica Pod. This is oauth2-proxy normally, or else openshift-oauth-proxy if OpenShift authentication is enabled
  2. Regardless of which proxy container is deployed, it is configured to only use Basic auth
  3. A Secret containing a randomly generated access key and a corresponding htpasswd file is created. The htpasswd file is loaded by the auth proxy to set up its Basic auth. The access key is referenced by Cryostat so that it can be used for Basic authentication on Cryostat's internal REST client which it uses to send requests to the report generator service.
  4. If the proxy is an openshift-oauth-proxy, then the automatic OpenShift TLS configuration is picked up and the Service points at the proxy's HTTPS port. Cryostat is configured to trust all certificates and not verify hostnames in this case (see [Epic] TLS configuration enhancements #168). If the proxy is oauth2-proxy then the communications are done over unencrypted HTTP.

The end result should be that, if a report generator deployment is created (--set reports.replicas=n, where n>0), then requests sent to these Pods or the Service in front of them will require the client to pass an HTTP Basic authentication check. This check uses a hardcoded username, but a generated secret for a password. This helps prevent abuse of the report generator by other cluster workloads asking the report generator to process JFR files when they are not part of the Cryostat deployment.

To test:

  1. Install the Helm chart as usual, but with --set reports.replicas=1 to configure a report generator deployment.
  2. Visit the Cryostat UI, create a sample application or define the localhost:0 custom target, and request an automated analysis report
  3. Verify that the report is generated successfully
  4. Inspect the Pod logs and verify that the report generator Pod serviced the request
  5. Launch a shell within the cluster (via OpenShift UI, or kubectl exec on ex. the Cryostat container) and do curl -vk http://cryostat-reports.mynamespace.svc:10001/report. Change the scheme to https if deployed with OpenShift authentication enabled. This should result in an HTTP 403.

@andrewazores andrewazores added feat New feature or request safe-to-test labels Oct 31, 2024
@andrewazores andrewazores marked this pull request as ready for review October 31, 2024 16:24
@andrewazores andrewazores requested review from a team October 31, 2024 16:25
ebaron
ebaron reviewed Nov 21, 2024
View reviewed changes
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a small thing I noticed

charts/cryostat/templates/_reports_authproxy.tpl Outdated Show resolved Hide resolved
charts/cryostat/templates/_reports_authproxy.tpl Outdated Show resolved Hide resolved
@andrewazores andrewazores merged commit b91e9bd into cryostatio:main Nov 22, 2024
7 checks passed
@andrewazores andrewazores deleted the reports-auth branch November 22, 2024 18:11
@andrewazores andrewazores mentioned this pull request Nov 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebaron ebaron ebaron approved these changes

Assignees
No one assigned
Labels
feat New feature or request safe-to-test
Projects
None yet
Milestone
No milestone
2 participants
@andrewazores @ebaron