Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature-725]: Remove tenant service ingress #552

Merged
merged 8 commits into from
Apr 5, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 29 additions & 25 deletions content/docs/authorization/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -166,16 +166,17 @@ karavictl generate token [flags]
##### Options

```
--addr string host:port address (default "grpc.gatekeeper.cluster:443")
--from-config string File providing self-generated token information
-h, --help help for token
--tenant Tenant name
--shared-secret string Shared secret for token signing
-t, --tenant string Tenant name
--access-token-expiration duration Expiration time of the access token, e.g. 1m30s (default 1m0s)
--refresh-token-expiration duration Expiration time of the refresh token, e.g. 48h (default 720h0m0s)
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -536,13 +537,13 @@ karavictl rolebinding create [flags]
-h, --help help for create
-r, --role string Role name
-t, --tenant string Tenant name
--insecure boolean insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -573,16 +574,16 @@ karavictl rolebinding delete [flags]
##### Options

```
-h, --help help for create
-h, --help help for delete
-r, --role string Role name
-t, --tenant string Tenant name
--insecure boolean insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -908,15 +909,16 @@ karavictl tenant create [flags]
##### Options

```
-a, --approvesdc To allow/deny SDC approval requests (default true | This flag is only applicable to PowerFlex. This flag will Approve/Deny a tenant's SDC request)
-h, --help help for create
-n, --name string Tenant name
--insecure insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -948,16 +950,16 @@ karavictl tenant get [flags]
##### Options

```
-h, --help help for create
-h, --help help for get
-n, --name string Tenant name
--insecure insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--config string config file (default is $HOME/.karavictl.yaml)
--insecure Skip certificate validation
```

##### Output
Expand Down Expand Up @@ -993,14 +995,14 @@ karavictl tenant list [flags]
##### Options

```
-h, --help help for create
--insecure insecure skip verify flag for Helm deployment
-h, --help help for list
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -1040,15 +1042,16 @@ karavictl tenant revoke [flags]
##### Options

```
-c, --cancel Cancel a previous tenant revocation
-h, --help help for create
-n, --name string Tenant name
--insecure insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--insecure Skip certificate validation
--config string config file (default is $HOME/.karavictl.yaml)
```

Expand Down Expand Up @@ -1079,16 +1082,16 @@ karavictl tenant delete [flags]
##### Options

```
-h, --help help for create
-h, --help help for delete
-n, --name string Tenant name
--insecure insecure skip verify flag for Helm deployment
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--config string config file (default is $HOME/.karavictl.yaml)
--insecure Skip certificate validation
```

##### Output
Expand Down Expand Up @@ -1118,16 +1121,17 @@ karavictl tenant update [flags]
#### Options

```
-h, --help help for create
-a, --approvesdc To allow/deny SDC approval requests (default true | This flag is only applicable to PowerFlex. This flag will Approve/Deny a tenant's SDC request)
-h, --help help for update
-n, --name string Tenant name
--approvesdc boolean (Usage: --approvesdc=true/false | This flag is only applicable to PowerFlex. This flag will Approve/Deny a tenant's SDC request )
```

##### Options inherited from parent commands

```
--addr string Address of the server (default "localhost:443")
--addr string Address of the server (default "localhost")
--config string config file (default is $HOME/.karavictl.yaml)
--insecure Skip certificate validation
```

##### Output
Expand Down
22 changes: 11 additions & 11 deletions content/docs/authorization/configuration/proxy-server/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ The storage administrator must first configure the proxy server with the followi
- Bind roles to tenants

>__Note__:
> - The `RPM deployment` will use the address and port of the server (i.e. grpc.<DNS-hostname>:443).
> - The `RPM deployment` will use the address of the server.
> - The `Helm deployment` will use the address and port of the Ingress hosts for the storage, tenant, and role services.

### Configuring Storage
Expand Down Expand Up @@ -42,10 +42,10 @@ A `tenant` is a Kubernetes cluster that a role will be bound to. For example, to

```yaml
# RPM Deployment
karavictl tenant create --name Finance --insecure --addr grpc.<DNS-hostname>:443
karavictl tenant create --name Finance --insecure --addr DNS-hostname

# Helm Deployment
karavictl tenant create --name Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
```

>__Note__:
Expand All @@ -56,10 +56,10 @@ karavictl tenant create --name Finance --insecure --addr tenant.csm-authorizatio

```yaml
# RPM Deployment
karavictl tenant create --name Finance --approvesdc=false --insecure --addr grpc.DNS-hostname:443
karavictl tenant create --name Finance --approvesdc=false --insecure --addr DNS-hostname

# Helm Deployment
karavictl tenant create --name Finance --approvesdc=false --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
karavictl tenant create --name Finance --approvesdc=false --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
```

### Configuring Roles
Expand All @@ -83,14 +83,14 @@ A `role binding` binds a role to a tenant. For example, to bind the `FinanceRole

```yaml
# RPM Deployment
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr grpc.<DNS-hostname>:443
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr DNS-hostname

# Helm Deployment
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>
```

>__Note__:
> - The `insecure` flag specifies to skip certificate validation when connecting to the tenant service. Run `karavictl rolebinding create --help` for help.
> - The `insecure` flag specifies to skip certificate validation when connecting to CSM Authorization. Run `karavictl rolebinding create --help` for help.

### Generate a Token

Expand All @@ -106,7 +106,7 @@ After creating the role bindings, the next logical step is to generate the acces

```
echo === Generating token ===
karavictl generate token --tenant ${tenantName} --insecure --addr grpc.<DNS-hostname>:443 | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' > token.yaml
karavictl generate token --tenant ${tenantName} --insecure --addr DNS-hostname | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' > token.yaml

echo === Copy token to Driver Host ===
sshpass -p ${DriverHostPassword} scp token.yaml ${DriverHostVMUser}@{DriverHostVMIP}:/tmp/token.yaml
Expand All @@ -117,7 +117,7 @@ After creating the role bindings, the next logical step is to generate the acces
Now that the tenant is bound to a role, a JSON Web Token can be generated for the tenant. For example, to generate a token for the `Finance` tenant:

```
karavictl generate token --tenant Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port>

{
"Token": "\napiVersion: v1\nkind: Secret\nmetadata:\n name: proxy-authz-tokens\ntype: Opaque\ndata:\n access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRNek1qUXhPRFlzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLmJIODN1TldmaHoxc1FVaDcweVlfMlF3N1NTVnEyRzRKeGlyVHFMWVlEMkU=\n refresh: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRVNU1UWXhNallzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLkxNbWVUSkZlX2dveXR0V0lUUDc5QWVaTy1kdmN5SHAwNUwyNXAtUm9ZZnM=\n"
Expand All @@ -127,7 +127,7 @@ karavictl generate token --tenant Finance --insecure --addr tenant.csm-authoriza
Process the above response to filter the secret manifest. For example using sed you can run the following:

```
karavictl generate token --tenant Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port> | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g'
karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-nginx-controller-port> | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g'
apiVersion: v1
kind: Secret
metadata:
Expand Down
15 changes: 4 additions & 11 deletions content/docs/authorization/deployment/helm/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,16 +66,13 @@ The following third-party components are optionally installed in the specified n
| authorization.images.storageService | The image to use for the storage-service. | Yes | dellemc/csm-authorization-storage:nightly |
| authorization.images.opa | The image to use for Open Policy Agent. | Yes | openpolicyagent/opa |
| authorization.images.opaKubeMgmt | The image to use for Open Policy Agent kube-mgmt. | Yes | openpolicyagent/kube-mgmt:0.11 |
| authorization.hostname | The hostname to configure the self-signed certificate (if applicable) and the proxy, tenant, role, and storage service Ingresses. | Yes | csm-authorization.com |
| authorization.hostname | The hostname to configure the self-signed certificate (if applicable) and the proxy, role, and storage service Ingresses. | Yes | csm-authorization.com |
| authorization.logLevel | CSM Authorization log level. Allowed values: “error”, “warn”/“warning”, “info”, “debug”. | Yes | debug |
| authorization.zipkin.collectoruri | The URI of the Zipkin instance to export traces. | No | - |
| authorization.zipkin.probability | The ratio of traces to export. | No | - |
| authorization.proxyServerIngress.ingressClassName | The ingressClassName of the proxy-service Ingress. | Yes | - |
| authorization.proxyServerIngress.hosts | Additional host rules to be applied to the proxy-service Ingress. | No | - |
| authorization.proxyServerIngress.annotations | Additional annotations for the proxy-service Ingress. | No | - |
| authorization.tenantServiceIngress.ingressClassName | The ingressClassName of the tenant-service Ingress. | Yes | - |
| authorization.tenantServiceIngress.hosts | Additional host rules to be applied to the tenant-service Ingress. | No | - |
| authorization.tenantServiceIngress.annotations | Additional annotations for the tenant-service Ingress. | No | - |
| authorization.roleServiceIngress.ingressClassName | The ingressClassName of the role-service Ingress. | Yes | - |
| authorization.roleServiceIngress.hosts | Additional host rules to be applied to the role-service Ingress. | No | - |
| authorization.roleServiceIngress.annotations | Additional annotations for the role-service Ingress. | No | - |
Expand All @@ -87,9 +84,6 @@ The following third-party components are optionally installed in the specified n
| redis.images.commander | The image to use for Redis Commander. | Yes | rediscommander/redis-commander:latest |
| redis.storageClass | The storage class for Redis to use for persistence. If not supplied, the default storage class is used. | No | - |

>__Note__:
> - The tenant, role, and storage services use GRPC. If the Ingress Controller requires annotations to support GRPC, they must be supplied.

6. Install the driver using `helm`:

To install CSM Authorization with the service Ingresses using your own certificate, run:
Expand Down Expand Up @@ -135,7 +129,7 @@ Karavictl commands and intended use can be found [here](../../cli/).

The first part of CSM for Authorization deployment is to configure the proxy server. This is controlled by the Storage Administrator.

Configuration is achieved by using `karavictl` to connect to the storage, tenant, and role services. In this example, we will be referencing an installation using `csm-authorization.com` as the authorization.hostname value and the NGINX Ingress Controller accessed via the cluster's master node.
Configuration is achieved by using `karavictl` to connect to the proxy, storage, and role services. In this example, we will be referencing an installation using `csm-authorization.com` as the authorization.hostname value and the NGINX Ingress Controller accessed via the cluster's master node.

Run `kubectl -n authorization get ingress` and `kubectl -n authorization get service` to see the Ingress rules for these services and the exposed port for accessing these services via the LoadBalancer. For example:

Expand All @@ -145,7 +139,6 @@ NAME CLASS HOSTS ADDRESS PORTS AG
proxy-server nginx csm-authorization.com 00, 000 86s
role-service nginx role.csm-authorization.com 00, 000 86s
storage-service nginx storage.csm-authorization.com 00, 000 86s
tenant-service nginx tenant.csm-authorization.com 00, 000 86s

# kubectl -n auth get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
Expand All @@ -161,10 +154,10 @@ storage-service ClusterIP 00.000.000.000
tenant-service ClusterIP 00.000.000.000 <none> 000/TCP 28s
```

On the machine running `karavictl`, the `/etc/hosts` file needs to be updated with the Ingress hosts for the storage, tenant, and role services. For example:
On the machine running `karavictl`, the `/etc/hosts` file needs to be updated with the Ingress hosts for the proxy, storage, and role services. For example:

```
<master_node_ip> tenant.csm-authorization.com
<master_node_ip> csm-authorization.com
<master_node_ip> role.csm-authorization.com
<master_node_ip> storage.csm-authorization.com
```
Expand Down
19 changes: 2 additions & 17 deletions content/docs/authorization/deployment/rpm/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ A Storage Administrator can execute the shell script, install_karavi_auth.sh as
"host": ":8080"
},
"zipkin": {
"collectoruri": "http://DNS-hostname:9411/api/v2/spans",
"collectoruri": "http://zipkin-addr:9411/api/v2/spans",
shaynafinocchiaro marked this conversation as resolved.
Show resolved Hide resolved
"probability": 1
},
"certificate": {
Expand All @@ -96,21 +96,6 @@ A Storage Administrator can execute the shell script, install_karavi_auth.sh as
> - `DNS-hostname` refers to the hostname of the system in which the CSM for Authorization server will be installed. This hostname can be found by running `nslookup <IP_address>`
> - There are a number of ways to create certificates. In a production environment, certificates are usually created and managed by an IT administrator. Otherwise, certificates can be created using OpenSSL.

2. In order to configure secure grpc connectivity, an additional subdomain in the format `grpc.DNS-hostname` is also required. All traffic from `grpc.DNS-hostname` needs to be routed to `DNS-hostname` address, this can be configured by adding a new DNS entry for `grpc.DNS-hostname` or providing a temporary path in the systems `/etc/hosts` file.

>__Note__: The certificate provided in `crtFile` should be valid for both the `DNS-hostname` and the `grpc.DNS-hostname` address.

For example, create the certificate config file with alternate names (to include DNS-hostname and grpc.DNS-hostname) and then create the .crt file:

```
CN = DNS-hostname
subjectAltName = @alt_names
[alt_names]
DNS.1 = grpc.DNS-hostname.com

$ openssl x509 -req -in cert_request_file.csr -CA root_CA.pem -CAkey private_key_File.key -CAcreateserial -out DNS-hostname.com.crt -days 365 -sha256
```

3. To install the rpm package on the system, you must first extract the contents of the tar file with the command:

```shell
Expand Down Expand Up @@ -178,7 +163,7 @@ Replace the data in `config.yaml` under the `data` field with your new, encoded

>__Note__: If you are updating the signing secret, the tenants need to be updated with new tokens via the `karavictl generate token` command like so. The `--insecure` flag is required if certificates were not provided in `$HOME/.karavi/config.json`

`karavictl generate token --tenant $TenantName --insecure --addr grpc.DNS-hostname:443 | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' | kubectl -n $namespace apply -f -`
`karavictl generate token --tenant $TenantName --insecure --addr DNS-hostname | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' | kubectl -n $namespace apply -f -`

## CSM for Authorization Proxy Server Dynamic Configuration Settings

Expand Down
6 changes: 3 additions & 3 deletions content/docs/authorization/troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ $ k3s kubectl logs deploy/proxy-server -n karavi -c opa
```

### Running "karavictl tenant" commands result in an HTTP 504 error
shaynafinocchiaro marked this conversation as resolved.
Show resolved Hide resolved
This situation may occur if there are Iptables or other firewall rules preventing communication with the provided `<grpc-address>`:
This situation may occur if there are Iptables or other firewall rules preventing communication with the provided `DNS-hostname`:
```
$ karavictl tenant list --addr <grpc-address>
$ karavictl tenant list --addr <DNS-hostname>
{
"ErrorMsg": "rpc error: code = Unavailable desc = Gateway Timeout: HTTP status code 504;
transport: received the unexpected content-type \"text/plain; charset=utf-8\""
Expand All @@ -64,7 +64,7 @@ $ karavictl tenant list --addr <grpc-address>
__Resolution__

Consult with your system administrator or Iptables/firewall documentation. If there are rules in place to
prevent communication with the `<grpc-address>`, either new rules must be created or existing rules must be updated.
prevent communication with the `DNS-hostname`, either new rules must be created or existing rules must be updated.

### Installation fails to install policies
If SELinux is enabled, the policies may fail to install:
Expand Down
Loading