Add support for enhanced security

[bipuladh]

Changes

• Adds a auth header check for bearer tokens on the Sidecar Pods
• Generates self signed certs on the sidecar pods for SSL security.
• Adds a bearer token to the request headers on the manager.(Taken from corresponding SA)
• Introduces a new arg in both manager and sidecar named enable-auth(disabled by default. If enabled it will start checking for auth headers in Request objects and enables TLS for grpc connections.

Requirements for the above features to work correctly:

• TokenReview create and get access for all sidecar containers

.

Images for testing:

• Sidecar: quay.io/badhikar/k8s-sidecar:rc-5
• Controller: quay.io/badhikar/k8s-controller:rc-5

Test logs

2024-11-11T18:12:00.948Z INFO Successfully connected to sidecar {"controller": "csiaddonsnode", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "CSIAddonsNode", "CSIAddonsNode": {"name":"csi-rbdplugin-gbr85","namespace":"openshift-storage"}, "namespace": "openshift-storage", "name": "csi-rbdplugin-gbr85", "reconcileID": "964eea1e-324b-4957-984d-2611972645ed", "NodeID": "ip-10-0-50-177.us-east-2.compute.internal", "DriverName": "openshift-storage.rbd.csi.ceph.com", "EndPoint": "10.0.50.177:9070"}

[nixpanic]

left a few minor comments for improving, looks pretty good to me already. Thanks!

[bipuladh]

@nixpanic should we disable it by default for easy opt-in for users?

[nixpanic]

@nixpanic should we disable it by default for easy opt-in for users?

If it works on current Kubernetes installations by default, it can be enabled by default IMHO. You may want to add a note in https://github.com/csi-addons/kubernetes-csi-addons/blob/main/docs/deploy-controller.md on the requirements of Kubernetes services, and how to disable it in case those services are unavailable.

[bipuladh]

@Madhu-1 my PR fails until I revert code introduced at https://github.com/csi-addons/kubernetes-csi-addons/pull/695/files#diff-03e0410a78ce106bc8ee10f594661c87995994955bfb6b07972d8fde2ec8a555R125-R146
Could you PTAL?

[Madhu-1]

@Madhu-1 my PR fails until I revert code introduced at https://github.com/csi-addons/kubernetes-csi-addons/pull/695/files#diff-03e0410a78ce106bc8ee10f594661c87995994955bfb6b07972d8fde2ec8a555R125-R146 Could you PTAL?

@bipuladh please use latest yamls from master branch in Rook

[Madhu-1]

Please add a documentation about this feature and as its enabled by default i assume upgraded works as it is (in kubernetes)

[Madhu-1]

dont we need to set it to true?

[bipuladh]

By default setting it to false but making it configurable by users from args

[bipuladh]

After having discussions we need the ability to configure this to support certificates. We currently resolve the IP address and use that instead of host name. This causes certificate mismatch.

[Madhu-1]

i think you can use status.Error instead of status.Errorf

[Madhu-1]

return the err message as well for better debugging

[Madhu-1]

make use of readfile function which is doing the same thing?

[bipuladh]

ioutil readFile is deprecated.

[Madhu-1]

i meant readFile we have below in this file

[Madhu-1]

if tls is not enabled why we need to have add UnaryInterceptor here?

[bipuladh]

I think this is something we need to decide. Should we disable auth token verification if TLS is disabled?

[bipuladh]

Removing Interceptor when TLS not used.

[iPraveenParihar]

Shouldn't it be set to false?

[bipuladh]

By default setting it to false but making it configurable by users from args

[iPraveenParihar]

Suggested change

	func removeBearer(authHeader string) string {
	func extractToken(authHeader string) string {

since the function just extracts the token, this naming is more suitable?

[bipuladh]

Please add a documentation about this feature and as its enabled by default i assume upgraded works as it is (in kubernetes)

@Madhu-1 @nixpanic for a smoother upgrade experience, should we disable by default? As mentioned in the PR description the sidecar deployer will have to create a certificate and mount it if not done the sidecar would go to CLBO. I can add this setup procedure on the readme files for reference.
I was thinking in the absence of certs we could automatically disable TLS but this could end up becoming a debugging nightmare. Perhaps logging could help, not sure.

[nixpanic]

@Madhu-1 @nixpanic for a smoother upgrade experience, should we disable by default? As mentioned in the PR description the sidecar deployer will have to create a certificate and mount it if not done the sidecar would go to CLBO. I can add this setup procedure on the readme files for reference. I was thinking in the absence of certs we could automatically disable TLS but this could end up becoming a debugging nightmare. Perhaps logging could help, not sure.

Yes, users should not need to do anything extra for upgrading. If there are manual steps to configure certificates, disable the feature by default.

[nixpanic]

Looks good to me. Please squash all the commits together so that the Mergify automation can merge it when all approvals are in.

[nixpanic]

this is where status.Errorf() can be used so that fmt.Sprintf() is not needed.

[Madhu-1]

Can you please address this as well?

[iPraveenParihar]

Suggested change

	flag.BoolVar(&skipInsecureVerify, "insecure-skip-tls-verify", false, "skip the certificate check")
	flag.BoolVar(&skipInsecureVerify, "insecure-skip-tls-verify", false, "skip server certificate verification")

[Madhu-1]

Please add/update the documentation on how to enable this functionality

[Madhu-1]

need to update the comment as its disabled by default

[Madhu-1]

Do we need to move this inside the if check when TLS is enabled?

[Madhu-1]

Suggested change

	return nil, (fmt.Errorf("failed to get server cert %w", caError))
	return nil, fmt.Errorf("failed to get server cert %w", caError)

[Madhu-1]

i meant readFile we have below in this file

[Madhu-1]

If the goal is to just to parse, we can remove the if check and trim it

func parseToken(authHeader string) string {
	return strings.TrimPrefix(authHeader, bearerPrefix)
}

[Madhu-1]

Dont we need RBAC for this one? am not sure we have this RBAC already

[bipuladh]

Yes we require. Whoever deploys the sidecar should be responsible to have this.

[Madhu-1]

"/etc/tls/tls.crt", "/etc/tls/tls.key" Are we going to have these two files in all the pods in same location when TLS is enabled?

[nixpanic]

Ideally yes. But I guess we can make it configurable later on if that is preferred.

[bipuladh]

adding these as parameters

[Madhu-1]

Suggested change

	klog.Fatalf("Could not find TLS file: %v", err)
	klog.Fatalf("failed to load TLS certificate and key: %v", err)

[bipuladh]

@bipuladh i tested this PR on the existing cluster without enabling TLS. its not working, can you please ensure that the functionality works with/without TLS?

Tested with the newly updated code. Working fine now.
Regarding host networking I think instead of relying on Pod IP we might have to create a service on front of it (the operators that deploy sidecar) so that we can have a DNS mapping. These service names can be put by the operator that deploys on the Pods in their annotations. We can then get the Service DNS key by querying it. This way we could update the code for TLS part to look into that and document it. WDYT?

[bipuladh]

/hold
ceph/ceph-csi-operator#173
Waiting on the decision of using Service over IP.
And also how the name of the service is to be communicated to the Server.

[nixpanic]

/hold ceph/ceph-csi-operator#173 Waiting on the decision of using Service over IP. And also how the name of the service is to be communicated to the Server.

Hi @bipuladh , is this still blocking the PR?

[nixpanic]

Aaah! A there is a conflict now 😭

[bipuladh]

/hold ceph/ceph-csi-operator#173 Waiting on the decision of using Service over IP. And also how the name of the service is to be communicated to the Server.

Hi @bipuladh , is this still blocking the PR?

Not anymore.

[bipuladh]

@nixpanic @Madhu-1 tested with both enabled and disabled mode. Works fine.

[nixpanic]

LGTM, many thanks!

Pull request has been modified.

Pull request has been modified.

[Rakshith-R]

one small nit,
rest looks good to me.

[Rakshith-R]

Suggested change

	authCtx := metadata.AppendToOutgoingContext(ctx, authorizationKey, "Bearer "+token)
	authCtx := metadata.AppendToOutgoingContext(ctx, authorizationKey, bearerPrefix +token)