Add query service token propagation support

Signed-off-by: Ruben Vargas <[email protected]>
jaegertracing · Oct 10, 2019 · ce44015 · ce44015
1 parent 54f74a5
commit ce44015
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 7 deletions.
diff --git a/pkg/apis/jaegertracing/v1/jaeger_types.go b/pkg/apis/jaegertracing/v1/jaeger_types.go
@@ -157,6 +157,9 @@ type JaegerQuerySpec struct {
 	// +optional
 	Options Options `json:"options,omitempty"`
 
+	// +optional
+	TokenPropagation bool `json:"tokenPropagation,omitempty"`
+
 	// +optional
 	JaegerCommonSpec `json:",inline,omitempty"`
 }

diff --git a/pkg/deployment/query.go b/pkg/deployment/query.go
@@ -71,7 +71,9 @@ func (q *Query) Get() *appsv1.Deployment {
 
 	options := allArgs(q.jaeger.Spec.Query.Options,
 		q.jaeger.Spec.Storage.Options.Filter(storage.OptionsPrefix(q.jaeger.Spec.Storage.Type)))
-
+	if q.jaeger.Spec.Query.TokenPropagation {
+		options = append(options, "--query.bearer-token-propagation=true")
+	}
 	configmap.Update(q.jaeger, commonSpec, &options)
 	var envFromSource []corev1.EnvFromSource
 	if len(q.jaeger.Spec.Storage.SecretName) > 0 {
@@ -190,3 +192,8 @@ func (q *Query) labels() map[string]string {
 func (q *Query) name() string {
 	return fmt.Sprintf("%s-query", q.jaeger.Name)
 }
+
+//TokenPropagation returns true is token propagation is enabled on query service.
+func (q *Query) TokenPropagation() bool {
+	return q.jaeger.Spec.Query.TokenPropagation
+}
diff --git a/pkg/inject/oauth_proxy.go b/pkg/inject/oauth_proxy.go
@@ -9,7 +9,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/jaegertracing/jaeger-operator/pkg/account"
-	v1 "github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
+	"github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
 	"github.com/jaegertracing/jaeger-operator/pkg/service"
 	"github.com/jaegertracing/jaeger-operator/pkg/util"
 )
@@ -34,8 +34,9 @@ func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
 }
 
 func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
+
 	args := []string{
-		"--cookie-secret=SECRET",
+		fmt.Sprintf("--cookie-secret=%s", util.GenerateProxySecret()),
 		"--https-address=:8443",
 		fmt.Sprintf("--openshift-service-account=%s", account.OAuthProxyAccountNameFor(jaeger)),
 		"--provider=openshift",
@@ -44,6 +45,15 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
 		"--upstream=http://localhost:16686",
 	}
 
+	if jaeger.Spec.Query.TokenPropagation {
+		args = append(args,
+			"--pass-access-token=true",
+			"--pass-user-bearer-token=true",
+			"--scope=user:info user:check-access user:list-projects",
+			"--pass-basic-auth=false",
+		)
+	}
+
 	volumeMounts := []corev1.VolumeMount{{
 		MountPath: "/etc/tls/private",
 		Name:      service.GetTLSSecretNameForQueryService(jaeger),

diff --git a/pkg/storage/elasticsearch.go b/pkg/storage/elasticsearch.go
@@ -39,7 +39,7 @@ type ElasticsearchDeployment struct {
 }
 
 // InjectStorageConfiguration changes the given spec to include ES-related command line options
-func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec) {
+func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec, tlsAuthentication bool) {
 	p.Volumes = append(p.Volumes, corev1.Volume{
 		Name: volumeName,
 		VolumeSource: corev1.VolumeSource{
@@ -52,10 +52,11 @@ func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec)
 	if len(p.Containers) > 0 {
 		p.Containers[0].Args = append(p.Containers[0].Args,
 			"--es.server-urls="+elasticsearchURL,
-			"--es.tls=true",
+			"--es.tls="+strconv.FormatBool(tlsAuthentication),
 			"--es.tls.ca="+caPath,
 			"--es.tls.cert="+certPath,
 			"--es.tls.key="+keyPath)
+
 		if util.FindItem("--es.timeout", p.Containers[0].Args) == "" {
 			p.Containers[0].Args = append(p.Containers[0].Args, "--es.timeout=15s")
 		}

diff --git a/pkg/strategy/production.go b/pkg/strategy/production.go
@@ -105,8 +105,8 @@ func newProductionStrategy(jaeger *v1.Jaeger, es *storage.ElasticsearchDeploymen
 			c.secrets = es.ExtractSecrets()
 			c.elasticsearches = append(c.elasticsearches, *es.Elasticsearch())
 
-			es.InjectStorageConfiguration(&queryDep.Spec.Template.Spec)
-			es.InjectStorageConfiguration(&cDep.Spec.Template.Spec)
+			es.InjectStorageConfiguration(&queryDep.Spec.Template.Spec, !query.TokenPropagation())
+			es.InjectStorageConfiguration(&cDep.Spec.Template.Spec, true)
 			if indexCleaner != nil {
 				es.InjectSecretsConfiguration(&indexCleaner.Spec.JobTemplate.Spec.Template.Spec)
 			}

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -1,6 +1,8 @@
 package util
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"strconv"
 	"strings"
 
@@ -198,3 +200,17 @@ func InitObjectMeta(obj metav1.Object) {
 		obj.SetAnnotations(map[string]string{})
 	}
 }
+
+// GenerateProxySecret generate random secret key for oauth proxy cookie.
+func GenerateProxySecret() string {
+	const secretLength = 16
+	randString := make([]byte, secretLength)
+	_, err := rand.Read(randString)
+	if err != nil {
+		// If we cannot generate random, return fixed.
+		return "ncNDoqLGrayxXzxTn5ANbOXZp3qXd0LA"
+	}
+	base64Secret := base64.StdEncoding.EncodeToString(randString)
+	return base64Secret
+
+}