[MAISTRA-624] Use basic HTTP auth for internal communication

Between kiali, grafana, jaeger and prometheus.

This way we can get rid of cluster role bindings.

We create an htpasswd secret unconditionally on the beginning of the control
plane installation, configure all oauth proxies to use that htpasswd
file as another form of authentication and finally configure Kiali
CR to use HTTP basic auth to communicate with those services.

helm/istio/charts/kiali/templates/kiali-cr.yaml

@@ -36,22 +36,28 @@ spec:
     grafana:
       auth:
         ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-        type: "bearer"
-        use_kiali_token: true
+        type: "basic"
+        use_kiali_token: false
+        username: "internal"
+        password: ""
       enabled: true
       in_cluster_url: "https://grafana.{{ .Release.Namespace }}.svc:3000"
       url: "{{ .Values.dashboard.grafanaURL }}"
     prometheus:
       auth:
         ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-        type: "bearer"
-        use_kiali_token: true
+        type: "basic"
+        use_kiali_token: false
+        username: "internal"
+        password: ""
       url: "https://prometheus.{{ .Release.Namespace }}.svc:9090"
     tracing:
       auth:
         ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-        type: "bearer"
-        use_kiali_token: true
+        type: "basic"
+        use_kiali_token: false
+        username: "internal"
+        password: ""
       enabled: true
       namespace: "{{ .Release.Namespace }}"
       service : ""

helm/istio/charts/tracing/templates/jaeger-all-in-one.yaml

@@ -57,7 +57,17 @@ spec:
       {{- range $key, $value := .Values.ingress.annotations }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+    openshift:
+      sar: '{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'
+      htpasswdFile: /etc/proxy/htpasswd/auth
 
+  volumeMounts:
+  - name: secret-htpasswd
+    mountPath: /etc/proxy/htpasswd
+  volumes:
+  - name: secret-htpasswd
+    secret:
+      secretName: htpasswd
   resources:
 {{- if .Values.jaeger.resources }}
 {{ toYaml .Values.jaeger.resources | indent 4 }}

helm/istio/charts/tracing/templates/jaeger-production-elasticsearch.yaml

@@ -73,7 +73,17 @@ spec:
       {{- range $key, $value := .Values.ingress.annotations }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+    openshift:
+      sar: '{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'
+      htpasswdFile: /etc/proxy/htpasswd/auth
 
+  volumeMounts:
+  - name: secret-htpasswd
+    mountPath: /etc/proxy/htpasswd
+  volumes:
+  - name: secret-htpasswd
+    secret:
+      secretName: htpasswd
   resources:
 {{- if .Values.jaeger.resources }}
 {{ toYaml .Values.jaeger.resources | indent 4 }}

helm/istio/charts/prometheus/templates/htpasswd-secret.yaml → helm/istio/templates/htpasswd-secret.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 data:
   auth: ""
+  rawPassword: ""
 kind: Secret
 metadata:
-  name: prometheus-htpasswd
+  name: htpasswd
   namespace: {{ .Release.Namespace }}
   labels:
-    app: prometheus
-    chart: {{ template "prometheus.chart" . }}
+    app: istio
+    chart: {{ template "istio.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 type: Opaque

pkg/controller/servicemesh/controlplane/hooks.go

@@ -32,8 +32,8 @@ func (r *ControlPlaneReconciler) preprocessObject(object *unstructured.Unstructu
 			return r.patchGrafanaConfig(object)
 		}
 	case "Secret":
-		if object.GetName() == "prometheus-htpasswd" {
-			return r.patchPrometheusHtpasswd(object)
+		if object.GetName() == "htpasswd" {
+			return r.patchHtpasswdSecret(object)
 		}
 	}
 	return nil
@@ -148,6 +148,23 @@ func (r *ControlPlaneReconciler) patchKialiConfig(object *unstructured.Unstructu
 		return fmt.Errorf("could not set grafana enabled flag in kiali CR: %s", err)
 	}
 
+	rawPassword, err := r.getRawHtPasswd(object)
+	if err != nil {
+		return err
+	}
+	err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "grafana", "auth", "password")
+	if err != nil {
+		return fmt.Errorf("could not set grafana password in kiali CR: %s", err)
+	}
+	err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "prometheus", "auth", "password")
+	if err != nil {
+		return fmt.Errorf("could not set prometheus password in kiali CR: %s", err)
+	}
+	err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "tracing", "auth", "password")
+	if err != nil {
+		return fmt.Errorf("could not set tracing password in kiali CR: %s", err)
+	}
+
 	return nil
 }
 

pkg/controller/servicemesh/controlplane/grafana.go → pkg/controller/servicemesh/controlplane/htpasswd.go

@@ -14,20 +14,20 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Unstructured) error {
+func (r *ControlPlaneReconciler) patchHtpasswdSecret(object *unstructured.Unstructured) error {
 	var rawPassword, auth string
 
 	htSecret := &corev1.Secret{}
-	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret)
+	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret)
 	if err == nil {
 		rawPassword = string(htSecret.Data["rawPassword"])
 		auth = string(htSecret.Data["auth"])
 	} else {
-		r.Log.Info("Creating Prometheus HTPasswd entry", object.GetKind(), object.GetName())
+		r.Log.Info("Creating HTPasswd entry", object.GetKind(), object.GetName())
 
 		rawPassword, err = generatePassword(255)
 		if err != nil {
-			r.Log.Error(err, "failed to generate the Prometheus password")
+			r.Log.Error(err, "failed to generate the HTPasswd password")
 			return err
 		}
 		h := sha1.New()
@@ -41,19 +41,30 @@ func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Un
 	// We store the raw password in order to be able to retrieve it below, when patching Grafana ConfigMap
 	err = unstructured.SetNestedField(object.UnstructuredContent(), b64Password, "data", "rawPassword")
 	if err != nil {
-		r.Log.Error(err, "failed to set prometheus raw password")
+		r.Log.Error(err, "failed to set htpasswd raw password")
 		return err
 	}
 
 	err = unstructured.SetNestedField(object.UnstructuredContent(), b64Auth, "data", "auth")
 	if err != nil {
-		r.Log.Error(err, "failed to set prometheus htpasswd entry")
+		r.Log.Error(err, "failed to set htpasswd auth entry")
 		return err
 	}
 
 	return nil
 }
 
+func (r *ControlPlaneReconciler) getRawHtPasswd(object *unstructured.Unstructured) (string, error) {
+	htSecret := &corev1.Secret{}
+	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret)
+	if err != nil {
+		r.Log.Error(err, "error retrieving htpasswd Secret")
+		return "", err
+	}
+
+	return string(htSecret.Data["rawPassword"]), nil
+}
+
 func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstructured) error {
 	dsYaml, found, err := unstructured.NestedString(object.UnstructuredContent(), "data", "datasources.yaml")
 	if err != nil || !found {
@@ -63,14 +74,10 @@ func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstruc
 
 	r.Log.Info("patching Grafana-Prometheus link", object.GetKind(), object.GetName())
 
-	// Retrieve the raw password created when processing Prometheus charts
-	htSecret := &corev1.Secret{}
-	err = r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret)
+	rawPassword, err := r.getRawHtPasswd(object)
 	if err != nil {
-		r.Log.Error(err, "error retrieving prometheus-htpasswd Secret")
 		return err
 	}
-	rawPassword := string(htSecret.Data["rawPassword"])
 
 	var re = regexp.MustCompile("(?s)(basicAuthPassword:).*?\n")
 	dsYaml = re.ReplaceAllString(dsYaml, fmt.Sprintf("${1} %s\n", rawPassword))

tmp/build/patch-grafana.sh

@@ -28,15 +28,17 @@ function grafana_patch_deployment() {
           volumeMounts:\
           - mountPath: /etc/tls/private\
             name: secret-grafana-tls\
+          - mountPath: /etc/proxy/htpasswd\
+            name: secret-htpasswd\
           args:\
           - -provider=openshift\
           - -https-address=:3001\
           - -http-address=\
           - -email-domain=*\
           - -upstream=http://localhost:3000\
+          - -htpasswd-file=/etc/proxy/htpasswd/auth\
+          - -display-htpasswd-form=false\
           - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\
-          - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\
-          - -skip-auth-regex=^/metrics\
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\
           - -openshift-service-account=grafana\
           - -cookie-secret=SECRET\
@@ -49,7 +51,11 @@ function grafana_patch_deployment() {
       - name: secret-grafana-tls\
         secret:\
           defaultMode: 420\
-          secretName: grafana-tls' \
+          secretName: grafana-tls\
+      - name: secret-htpasswd\
+        secret:\
+          defaultMode: 420\
+          secretName: htpasswd' \
       -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: grafana\
 \1containers:\2/' \
       -e '/- if \.Values\.security\.enabled/,/- end/ { d }' \

tmp/build/patch-prometheus.sh

@@ -24,7 +24,7 @@ function prometheus_patch_deployment() {
           - mountPath: /etc/tls/private\
             name: secret-prometheus-tls\
           - mountPath: /etc/proxy/htpasswd\
-            name: secret-prometheus-htpasswd\
+            name: secret-htpasswd\
           args:\
           - -provider=openshift\
           - -https-address=:3001\
@@ -34,8 +34,6 @@ function prometheus_patch_deployment() {
           - -htpasswd-file=/etc/proxy/htpasswd/auth\
           - -display-htpasswd-form=false\
           - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\
-          - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\
-          - -skip-auth-regex=^/metrics\
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\
           - -openshift-service-account=prometheus\
           - -cookie-secret=SECRET\
@@ -49,10 +47,10 @@ function prometheus_patch_deployment() {
         secret:\
           defaultMode: 420\
           secretName: prometheus-tls\
-      - name: secret-prometheus-htpasswd\
+      - name: secret-htpasswd\
         secret:\
           defaultMode: 420\
-          secretName: prometheus-htpasswd' \
+          secretName: htpasswd' \
       -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: prometheus\
 \1containers:\2/' \
   ${HELM_DIR}/istio/charts/prometheus/templates/deployment.yaml