Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token propagation E2E tests. #581

Merged
merged 6 commits into from
Jan 22, 2020
Merged

Token propagation E2E tests. #581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
750e826
Add query service token propagation support
rubenvp8510 Aug 5, 2019
853b677
E2E Tests for token propagation
rubenvp8510 Oct 14, 2019
f100fc9
Use auth delegation to avoid oauth form parsing
rubenvp8510 Jan 11, 2020
233cfd4
E2E token test more reliable
rubenvp8510 Jan 16, 2020
93df3af
Allow override es.archive.tls
rubenvp8510 Jan 16, 2020
0bb2711
Address formating comments
rubenvp8510 Jan 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .ci/run-e2e-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ elif [ "${TEST_GROUP}" = "examples2" ]
then
echo "Running Examples2 Tests"
make e2e-tests-examples2
elif [ "${TEST_GROUP}" = "es-token-propagation" ]
then
echo "Running token propagation tests"
make e2e-tests-token-propagation-es
else
echo "Unknown TEST_GROUP [${TEST_GROUP}]"; exit 1
fi
Expand Down
5 changes: 4 additions & 1 deletion .ci/start-openshift.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ export KUBERNETES_VERSION=v1.14.0
echo '{"registry-mirrors": ["https://mirror.gcr.io"], "mtu": 1460, "insecure-registries": ["172.30.0.0/16"] }' | sudo tee /etc/docker/daemon.json
sudo service docker restart

HOST_IP=$(hostname -I | awk '{ print $1 }')

# install and run OCP
sudo docker cp $(docker create docker.io/openshift/origin:$OPENSHIFT_VERSION):/bin/oc /usr/local/bin/oc
oc cluster up --version=$OPENSHIFT_VERSION

oc cluster up --version=$OPENSHIFT_VERSION --public-hostname=${HOST_IP}.nip.io
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @kevinearls

oc login -u system:admin
5 changes: 5 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,11 @@ e2e-tests-self-provisioned-es-kafka: prepare-e2e-tests deploy-kafka-operator dep
@echo Running Self provisioned Elasticsearch and Kafka end-to-end tests...
@STORAGE_NAMESPACE=$(STORAGE_NAMESPACE) ES_OPERATOR_NAMESPACE=$(ES_OPERATOR_NAMESPACE) ES_OPERATOR_IMAGE=$(ES_OPERATOR_IMAGE) go test -tags=self_provisioned_elasticsearch_kafka ./test/e2e/... $(TEST_OPTIONS)

.PHONY: e2e-tests-token-propagation-es
e2e-tests-token-propagation-es: prepare-e2e-tests deploy-es-operator
@echo Running Token Propagation Elasticsearch end-to-end tests...
@STORAGE_NAMESPACE=$(STORAGE_NAMESPACE) ES_OPERATOR_NAMESPACE=$(ES_OPERATOR_NAMESPACE) ES_OPERATOR_IMAGE=$(ES_OPERATOR_IMAGE) go test -tags=token_propagation_elasticsearch ./test/e2e/... $(TEST_OPTIONS)

.PHONY: e2e-tests-streaming
e2e-tests-streaming: prepare-e2e-tests es kafka
@echo Running Streaming end-to-end tests...
Expand Down
4 changes: 4 additions & 0 deletions deploy/crds/jaegertracing.io_jaegers_crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9434,6 +9434,10 @@ spec:
sar:
type: string
type: object
options:
description: Options defines a common options parameter to the different
structs
type: object
resources:
description: ResourceRequirements describes the compute resource
requirements.
Expand Down
3 changes: 3 additions & 0 deletions pkg/apis/jaegertracing/v1/jaeger_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,9 @@ type JaegerIngressSpec struct {

// +optional
JaegerCommonSpec `json:",inline,omitempty"`

// +optional
Options Options `json:"options,omitempty"`
}

// JaegerIngressTLSSpec defines the TLS configuration to be used when deploying the query ingress
Expand Down
1 change: 1 addition & 0 deletions pkg/apis/jaegertracing/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 6 additions & 1 deletion pkg/apis/jaegertracing/v1/zz_generated.openapi.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1361,11 +1361,16 @@ func schema_pkg_apis_jaegertracing_v1_JaegerIngressSpec(ref common.ReferenceCall
Format: "",
},
},
"options": {
SchemaProps: spec.SchemaProps{
Ref: ref("./pkg/apis/jaegertracing/v1.Options"),
},
},
},
},
},
Dependencies: []string{
"./pkg/apis/jaegertracing/v1.JaegerIngressOpenShiftSpec", "./pkg/apis/jaegertracing/v1.JaegerIngressTLSSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.Volume", "k8s.io/api/core/v1.VolumeMount"},
"./pkg/apis/jaegertracing/v1.JaegerIngressOpenShiftSpec", "./pkg/apis/jaegertracing/v1.JaegerIngressTLSSpec", "./pkg/apis/jaegertracing/v1.Options", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.Volume", "k8s.io/api/core/v1.VolumeMount"},
}
}

Expand Down
18 changes: 16 additions & 2 deletions pkg/inject/oauth_proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ import (
"github.com/jaegertracing/jaeger-operator/pkg/util"
)

// #nosec G101 (CWE-798): Potential hardcoded credentials
const defaultProxySecret = "ncNDoqLGrayxXzxTn5ANbOXZp3qXd0LA"

// OAuthProxy injects an appropriate proxy into the given deployment
func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
if jaeger.Spec.Ingress.Security != v1.IngressSecurityOAuthProxy {
Expand All @@ -33,17 +36,26 @@ func OAuthProxy(jaeger *v1.Jaeger, dep *appsv1.Deployment) *appsv1.Deployment {
return dep
}

func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
func proxyInitArguments(jaeger *v1.Jaeger) []string {
secret, err := util.GenerateProxySecret()
if err != nil {
jaeger.Logger().WithError(err).Warnf("Error generating secret: %s, fallback to fixed secret", secret)
secret = defaultProxySecret
}
args := []string{
"--cookie-secret=SECRET",
fmt.Sprintf("--cookie-secret=%s", secret),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This generates secrets containing chars like "+" and "/". How are they translated into the final YAML? Do they cause any troubles? I don't think it does, but it's good to have positive confirmation (and perhaps a test). Example of random strings I got from this code locally:

pZ8F0imysFsTwJ9kF8U92g==
ILmvfqWW/+bLEokY06NHig==
Zmc+jX2VWXkxsB98AIYwDg==
xb/fYVT6UHxYpNJXhjR7RQ==

"--https-address=:8443",
fmt.Sprintf("--openshift-service-account=%s", account.OAuthProxyAccountNameFor(jaeger)),
"--provider=openshift",
"--tls-cert=/etc/tls/private/tls.crt",
"--tls-key=/etc/tls/private/tls.key",
"--upstream=http://localhost:16686",
}
return args
}

func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
args := proxyInitArguments(jaeger)
volumeMounts := []corev1.VolumeMount{{
MountPath: "/etc/tls/private",
Name: service.GetTLSSecretNameForQueryService(jaeger),
Expand All @@ -65,6 +77,8 @@ func getOAuthProxyContainer(jaeger *v1.Jaeger) corev1.Container {
args = append(args, fmt.Sprintf("--openshift-delegate-urls=%s", jaeger.Spec.Ingress.Openshift.DelegateUrls))
}

args = append(args, jaeger.Spec.Ingress.Options.ToArgs()...)

sort.Strings(args)

commonSpec := util.Merge([]v1.JaegerCommonSpec{jaeger.Spec.Ingress.JaegerCommonSpec, jaeger.Spec.JaegerCommonSpec})
Expand Down
89 changes: 50 additions & 39 deletions pkg/storage/elasticsearch.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,55 @@ type ElasticsearchDeployment struct {
Secrets []corev1.Secret
}

func (ed *ElasticsearchDeployment) injectArguments(container *corev1.Container) {
container.Args = append(container.Args, "--es.server-urls="+elasticsearchURL)
if util.FindItem("--es.tls=", container.Args) == "" {
container.Args = append(container.Args, "--es.tls=true")
}
container.Args = append(container.Args,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't these options be added only if es.tls=true?

"--es.tls.ca="+caPath,
"--es.tls.cert="+certPath,
"--es.tls.key="+keyPath)

if util.FindItem("--es.timeout", container.Args) == "" {
container.Args = append(container.Args, "--es.timeout=15s")
}
if util.FindItem("--es.num-shards", container.Args) == "" {
// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
// every ES node is a data node
container.Args = append(container.Args, fmt.Sprintf("--es.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
}
if util.FindItem("--es.num-replicas", container.Args) == "" {
container.Args = append(container.Args, fmt.Sprintf("--es.num-replicas=%d",
calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
}
if strings.EqualFold(util.FindItem("--es-archive.enabled", container.Args), "--es-archive.enabled=true") {
container.Args = append(container.Args,
"--es-archive.server-urls="+elasticsearchURL,
)
if util.FindItem("--es-archive.tls=", container.Args) == "" {
container.Args = append(container.Args, "--es-archive.tls=true")
}
container.Args = append(container.Args,
"--es-archive.tls.ca="+caPath,
"--es-archive.tls.cert="+certPath,
"--es-archive.tls.key="+keyPath,
)
if util.FindItem("--es-archive.timeout", container.Args) == "" {
container.Args = append(container.Args, "--es-archive.timeout=15s")
}
if util.FindItem("--es-archive.num-shards", container.Args) == "" {
// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
// every ES node is a data node
container.Args = append(container.Args, fmt.Sprintf("--es-archive.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
}
if util.FindItem("--es-archive.num-replicas", container.Args) == "" {
container.Args = append(container.Args, fmt.Sprintf("--es-archive.num-replicas=%d",
calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
}
}
}

// InjectStorageConfiguration changes the given spec to include ES-related command line options
func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec) {
p.Volumes = append(p.Volumes, corev1.Volume{
Expand All @@ -50,45 +99,7 @@ func (ed *ElasticsearchDeployment) InjectStorageConfiguration(p *corev1.PodSpec)
})
// we assume jaeger containers are first
if len(p.Containers) > 0 {
p.Containers[0].Args = append(p.Containers[0].Args,
"--es.server-urls="+elasticsearchURL,
"--es.tls=true",
"--es.tls.ca="+caPath,
"--es.tls.cert="+certPath,
"--es.tls.key="+keyPath)
if util.FindItem("--es.timeout", p.Containers[0].Args) == "" {
p.Containers[0].Args = append(p.Containers[0].Args, "--es.timeout=15s")
}
if util.FindItem("--es.num-shards", p.Containers[0].Args) == "" {
// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
// every ES node is a data node
p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
}
if util.FindItem("--es.num-replicas", p.Containers[0].Args) == "" {
p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es.num-replicas=%d",
calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
}
if strings.EqualFold(util.FindItem("--es-archive.enabled", p.Containers[0].Args), "--es-archive.enabled=true") {
p.Containers[0].Args = append(p.Containers[0].Args,
"--es-archive.server-urls="+elasticsearchURL,
"--es-archive.tls=true",
"--es-archive.tls.ca="+caPath,
"--es-archive.tls.cert="+certPath,
"--es-archive.tls.key="+keyPath,
)
if util.FindItem("--es-archive.timeout", p.Containers[0].Args) == "" {
p.Containers[0].Args = append(p.Containers[0].Args, "--es-archive.timeout=15s")
}
if util.FindItem("--es-archive.num-shards", p.Containers[0].Args) == "" {
// taken from https://github.com/openshift/cluster-logging-operator/blob/32b69e8bcf61a805e8f3c45c664a3c08d1ee62d5/vendor/github.com/openshift/elasticsearch-operator/pkg/k8shandler/configmaps.go#L38
// every ES node is a data node
p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es-archive.num-shards=%d", ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))
}
if util.FindItem("--es-archive.num-replicas", p.Containers[0].Args) == "" {
p.Containers[0].Args = append(p.Containers[0].Args, fmt.Sprintf("--es-archive.num-replicas=%d",
calculateReplicaShards(ed.Jaeger.Spec.Storage.Elasticsearch.RedundancyPolicy, int(ed.Jaeger.Spec.Storage.Elasticsearch.NodeCount))))
}
}
ed.injectArguments(&p.Containers[0])
p.Containers[0].VolumeMounts = append(p.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: volumeName,
ReadOnly: true,
Expand Down
16 changes: 16 additions & 0 deletions pkg/util/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package util

import (
"crypto/rand"
"encoding/base64"
"fmt"
"strconv"
"strings"
Expand Down Expand Up @@ -242,3 +244,17 @@ func CreateEnvsFromSecret(secretName string) []corev1.EnvFromSource {
}
return envs
}

// GenerateProxySecret generate random secret key for oauth proxy cookie.
func GenerateProxySecret() (string, error) {
const secretLength = 16
randString := make([]byte, secretLength)
_, err := rand.Read(randString)
if err != nil {
// If we cannot generate random, return fixed.
return "", err
}
base64Secret := base64.StdEncoding.EncodeToString(randString)
return base64Secret, nil

}
Loading