Token propagation E2E tests. (#581)

Signed-off-by: Ruben Vargas <[email protected]>

.ci/run-e2e-tests.sh

@@ -39,6 +39,10 @@ elif [ "${TEST_GROUP}" = "examples2" ]
 then
     echo "Running Examples2 Tests"
     make e2e-tests-examples2
+elif [ "${TEST_GROUP}" = "es-token-propagation" ]
+then
+    echo "Running token propagation tests"
+    make e2e-tests-token-propagation-es
 else
     echo "Unknown TEST_GROUP [${TEST_GROUP}]"; exit 1
 fi

.ci/start-openshift.sh

@@ -9,7 +9,10 @@ export KUBERNETES_VERSION=v1.14.0
 echo '{"registry-mirrors": ["https://mirror.gcr.io"], "mtu": 1460, "insecure-registries": ["172.30.0.0/16"] }' | sudo tee /etc/docker/daemon.json
 sudo service docker restart
 
+HOST_IP=$(hostname -I | awk '{ print $1 }')
+
 # install and run OCP
 sudo docker cp $(docker create docker.io/openshift/origin:$OPENSHIFT_VERSION):/bin/oc /usr/local/bin/oc
-oc cluster up --version=$OPENSHIFT_VERSION
+
+oc cluster up --version=$OPENSHIFT_VERSION --public-hostname=${HOST_IP}.nip.io
 oc login -u system:admin

Makefile

@@ -120,6 +120,11 @@ e2e-tests-self-provisioned-es-kafka: prepare-e2e-tests deploy-kafka-operator dep
 	@echo Running Self provisioned Elasticsearch and Kafka end-to-end tests...
 	@STORAGE_NAMESPACE=$(STORAGE_NAMESPACE) ES_OPERATOR_NAMESPACE=$(ES_OPERATOR_NAMESPACE) ES_OPERATOR_IMAGE=$(ES_OPERATOR_IMAGE) go test -tags=self_provisioned_elasticsearch_kafka ./test/e2e/... $(TEST_OPTIONS)
 
+.PHONY: e2e-tests-token-propagation-es
+e2e-tests-token-propagation-es: prepare-e2e-tests deploy-es-operator
+	@echo Running Token Propagation Elasticsearch end-to-end tests...
+	@STORAGE_NAMESPACE=$(STORAGE_NAMESPACE) ES_OPERATOR_NAMESPACE=$(ES_OPERATOR_NAMESPACE) ES_OPERATOR_IMAGE=$(ES_OPERATOR_IMAGE) go test -tags=token_propagation_elasticsearch ./test/e2e/... $(TEST_OPTIONS)
+
 .PHONY: e2e-tests-streaming
 e2e-tests-streaming: prepare-e2e-tests es kafka
 	@echo Running Streaming end-to-end tests...

deploy/crds/jaegertracing.io_jaegers_crd.yaml

@@ -9444,6 +9444,10 @@ spec:
                         add a "Log Out" menu option to the custom Jaeger configuration
                       type: boolean
                   type: object
+                options:
+                  description: Options defines a common options parameter to the different
+                    structs
+                  type: object
                 resources:
                   description: ResourceRequirements describes the compute resource
                     requirements.

pkg/apis/jaegertracing/v1/jaeger_types.go

@@ -236,6 +236,9 @@ type JaegerIngressSpec struct {
 
 	// +optional
 	JaegerCommonSpec `json:",inline,omitempty"`
+
+	// +optional
+	Options Options `json:"options,omitempty"`
 }
 
 // JaegerIngressTLSSpec defines the TLS configuration to be used when deploying the query ingress

pkg/apis/jaegertracing/v1/zz_generated.openapi.go

@@ -1375,11 +1375,16 @@ func schema_pkg_apis_jaegertracing_v1_JaegerIngressSpec(ref common.ReferenceCall
 							Format: "",
 						},
 					},
+					"options": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref("./pkg/apis/jaegertracing/v1.Options"),
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"./pkg/apis/jaegertracing/v1.JaegerIngressOpenShiftSpec", "./pkg/apis/jaegertracing/v1.JaegerIngressTLSSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.Volume", "k8s.io/api/core/v1.VolumeMount"},
+			"./pkg/apis/jaegertracing/v1.JaegerIngressOpenShiftSpec", "./pkg/apis/jaegertracing/v1.JaegerIngressTLSSpec", "./pkg/apis/jaegertracing/v1.Options", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.Volume", "k8s.io/api/core/v1.VolumeMount"},
 	}
 }
 

pkg/inject/oauth_proxy.go

@@ -14,6 +14,9 @@ import (
 	"github.com/jaegertracing/jaeger-operator/pkg/util"
 )
 
+// #nosec   G101 (CWE-798): Potential hardcoded credentials
+const defaultProxySecret = "ncNDoqLGrayxXzxTn5ANbOXZp3qXd0LA"
+
 // OAuthProxy injects an appropriate proxy into the given deployment
 func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
 	if jaeger.Spec.Ingress.Security != v1.IngressSecurityOAuthProxy {
@@ -33,17 +36,26 @@ func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
 	return dep
 }
 
-func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
+func proxyInitArguments(jaeger *v1.Jaeger) []string {
+	secret, err := util.GenerateProxySecret()
+	if err != nil {
+		jaeger.Logger().WithError(err).Warnf("Error generating secret: %s, fallback to fixed secret", secret)
+		secret = defaultProxySecret
+	}
 	args := []string{
-		"--cookie-secret=SECRET",
+		fmt.Sprintf("--cookie-secret=%s", secret),
 		"--https-address=:8443",
 		fmt.Sprintf("--openshift-service-account=%s", account.OAuthProxyAccountNameFor(jaeger)),
 		"--provider=openshift",
 		"--tls-cert=/etc/tls/private/tls.crt",
 		"--tls-key=/etc/tls/private/tls.key",
 		"--upstream=http://localhost:16686",
 	}
+	return args
+}
 
+func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
+	args := proxyInitArguments(jaeger)
 	volumeMounts := []corev1.VolumeMount{{
 		MountPath: "/etc/tls/private",
 		Name:      service.GetTLSSecretNameForQueryService(jaeger),
@@ -65,6 +77,8 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
 		args = append(args, fmt.Sprintf("--openshift-delegate-urls=%s", jaeger.Spec.Ingress.Openshift.DelegateUrls))
 	}
 
+	args = append(args, jaeger.Spec.Ingress.Options.ToArgs()...)
+
 	sort.Strings(args)
 
 	commonSpec := util.Merge([]v1.JaegerCommonSpec{jaeger.Spec.Ingress.JaegerCommonSpec, jaeger.Spec.JaegerCommonSpec})

pkg/storage/elasticsearch.go

@@ -38,6 +38,55 @@ type ElasticsearchDeployment struct {
 	Secrets    []corev1.Secret
 }
 
+func (ed *ElasticsearchDeployment) injectArguments(container *corev1.Container) {
+	container.Args = append(container.Args, "--es.server-urls="+elasticsearchURL)
+	if util.FindItem("--es.tls=", container.Args) == "" {
+		container.Args = append(container.Args, "--es.tls=true")
+	}
+	container.Args = append(container.Args,
+		"--es.tls.ca="+caPath,
+		"--es.tls.cert="+certPath,
+		"--es.tls.key="+keyPath)
+
+	if util.FindItem("--es.timeout", container.Args) == "" {
+		container.Args = append(container.Args, "--es.timeout=15s")
+	}
+	if util.FindItem("--es.num-shards", container.Args) == "" {
+		// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
+		// every ES node is a data node
+		container.Args = append(container.Args, fmt.Sprintf("--es.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
+	}
+	if util.FindItem("--es.num-replicas", container.Args) == "" {
+		container.Args = append(container.Args, fmt.Sprintf("--es.num-replicas=%d",
+			calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
+	}
+	if strings.EqualFold(util.FindItem("--es-archive.enabled", container.Args), "--es-archive.enabled=true") {
+		container.Args = append(container.Args,
+			"--es-archive.server-urls="+elasticsearchURL,
+		)
+		if util.FindItem("--es-archive.tls=", container.Args) == "" {
+			container.Args = append(container.Args, "--es-archive.tls=true")
+		}
+		container.Args = append(container.Args,
+			"--es-archive.tls.ca="+caPath,
+			"--es-archive.tls.cert="+certPath,
+			"--es-archive.tls.key="+keyPath,
+		)
+		if util.FindItem("--es-archive.timeout", container.Args) == "" {
+			container.Args = append(container.Args, "--es-archive.timeout=15s")
+		}
+		if util.FindItem("--es-archive.num-shards", container.Args) == "" {
+			// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
+			// every ES node is a data node
+			container.Args = append(container.Args, fmt.Sprintf("--es-archive.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
+		}
+		if util.FindItem("--es-archive.num-replicas", container.Args) == "" {
+			container.Args = append(container.Args, fmt.Sprintf("--es-archive.num-replicas=%d",
+				calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
+		}
+	}
+}
+
 // InjectStorageConfiguration changes the given spec to include ES-related command line options
 func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec) {
 	p.Volumes = append(p.Volumes, corev1.Volume{
@@ -50,45 +99,7 @@ func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec)
 	})
 	// we assume jaeger containers are first
 	if len(p.Containers) > 0 {
-		p.Containers[0].Args = append(p.Containers[0].Args,
-			"--es.server-urls="+elasticsearchURL,
-			"--es.tls=true",
-			"--es.tls.ca="+caPath,
-			"--es.tls.cert="+certPath,
-			"--es.tls.key="+keyPath)
-		if util.FindItem("--es.timeout", p.Containers[0].Args) == "" {
-			p.Containers[0].Args = append(p.Containers[0].Args, "--es.timeout=15s")
-		}
-		if util.FindItem("--es.num-shards", p.Containers[0].Args) == "" {
-			// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
-			// every ES node is a data node
-			p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
-		}
-		if util.FindItem("--es.num-replicas", p.Containers[0].Args) == "" {
-			p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es.num-replicas=%d",
-				calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
-		}
-		if strings.EqualFold(util.FindItem("--es-archive.enabled", p.Containers[0].Args), "--es-archive.enabled=true") {
-			p.Containers[0].Args = append(p.Containers[0].Args,
-				"--es-archive.server-urls="+elasticsearchURL,
-				"--es-archive.tls=true",
-				"--es-archive.tls.ca="+caPath,
-				"--es-archive.tls.cert="+certPath,
-				"--es-archive.tls.key="+keyPath,
-			)
-			if util.FindItem("--es-archive.timeout", p.Containers[0].Args) == "" {
-				p.Containers[0].Args = append(p.Containers[0].Args, "--es-archive.timeout=15s")
-			}
-			if util.FindItem("--es-archive.num-shards", p.Containers[0].Args) == "" {
-				// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
-				// every ES node is a data node
-				p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es-archive.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
-			}
-			if util.FindItem("--es-archive.num-replicas", p.Containers[0].Args) == "" {
-				p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es-archive.num-replicas=%d",
-					calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
-			}
-		}
+		ed.injectArguments(&p.Containers[0])
 		p.Containers[0].VolumeMounts = append(p.Containers[0].VolumeMounts, corev1.VolumeMount{
 			Name:      volumeName,
 			ReadOnly:  true,

pkg/util/util.go

@@ -1,6 +1,8 @@
 package util
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"strconv"
 	"strings"
@@ -242,3 +244,17 @@ func CreateEnvsFromSecret(secretName string) []corev1.EnvFromSource {
 	}
 	return envs
 }
+
+// GenerateProxySecret generate random secret key for oauth proxy cookie.
+func GenerateProxySecret() (string, error) {
+	const secretLength = 16
+	randString := make([]byte, secretLength)
+	_, err := rand.Read(randString)
+	if err != nil {
+		// If we cannot generate random, return fixed.
+		return "", err
+	}
+	base64Secret := base64.StdEncoding.EncodeToString(randString)
+	return base64Secret, nil
+
+}