From f36c187956cbc84b8ae8f170d90fff658f27f941 Mon Sep 17 00:00:00 2001 From: Jonh Wendell Date: Tue, 30 Jul 2019 17:44:29 -0400 Subject: [PATCH] [MAISTRA-624] Use basic HTTP auth for internal communication Between kiali, grafana and prometheus. This way we can get rid of cluster role bindings. --- .../grafana/templates/meshclusterrole.yaml | 16 ---------- .../templates/meshclusterrolebinding.yaml | 17 ----------- .../charts/kiali/templates/kiali-cr.yaml | 12 +++++--- .../prometheus/templates/meshclusterrole.yaml | 21 -------------- .../templates/meshclusterrolebindings.yaml | 17 ----------- .../templates/htpasswd-secret.yaml | 7 +++-- .../servicemesh/controlplane/hooks.go | 17 +++++++++-- .../controlplane/{grafana.go => htpasswd.go} | 29 ++++++++++++------- tmp/build/patch-grafana.sh | 12 ++++++-- tmp/build/patch-prometheus.sh | 8 ++--- 10 files changed, 57 insertions(+), 99 deletions(-) delete mode 100644 helm/istio/charts/grafana/templates/meshclusterrole.yaml delete mode 100644 helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml delete mode 100644 helm/istio/charts/prometheus/templates/meshclusterrole.yaml delete mode 100644 helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml rename helm/istio/{charts/prometheus => }/templates/htpasswd-secret.yaml (66%) rename pkg/controller/servicemesh/controlplane/{grafana.go => htpasswd.go} (73%) diff --git a/helm/istio/charts/grafana/templates/meshclusterrole.yaml b/helm/istio/charts/grafana/templates/meshclusterrole.yaml deleted file mode 100644 index 5811baae92c..00000000000 --- a/helm/istio/charts/grafana/templates/meshclusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-grafana-mesh-{{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] diff --git a/helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml b/helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml deleted file mode 100644 index 897afb842c6..00000000000 --- a/helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-grafana-mesh-{{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-grafana-mesh-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: grafana - namespace: {{ .Release.Namespace }} diff --git a/helm/istio/charts/kiali/templates/kiali-cr.yaml b/helm/istio/charts/kiali/templates/kiali-cr.yaml index 279c43476cd..812a80ef7fd 100644 --- a/helm/istio/charts/kiali/templates/kiali-cr.yaml +++ b/helm/istio/charts/kiali/templates/kiali-cr.yaml @@ -36,16 +36,20 @@ spec: grafana: auth: ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - type: "bearer" - use_kiali_token: true + type: "basic" + use_kiali_token: false + username: "internal" + password: "" enabled: true in_cluster_url: "https://grafana.{{ .Release.Namespace }}.svc:3000" url: "{{ .Values.dashboard.grafanaURL }}" prometheus: auth: ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - type: "bearer" - use_kiali_token: true + type: "basic" + use_kiali_token: false + username: "internal" + password: "" url: "https://prometheus.{{ .Release.Namespace }}.svc:9090" tracing: auth: diff --git a/helm/istio/charts/prometheus/templates/meshclusterrole.yaml b/helm/istio/charts/prometheus/templates/meshclusterrole.yaml deleted file mode 100644 index c8ddd346e65..00000000000 --- a/helm/istio/charts/prometheus/templates/meshclusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus-mesh-{{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: - - nodes - - nodes/proxy - verbs: ["get", "list", "watch"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] diff --git a/helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml b/helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml deleted file mode 100644 index b341fcdf257..00000000000 --- a/helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus-mesh-{{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-mesh-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: prometheus - namespace: {{ .Release.Namespace }} diff --git a/helm/istio/charts/prometheus/templates/htpasswd-secret.yaml b/helm/istio/templates/htpasswd-secret.yaml similarity index 66% rename from helm/istio/charts/prometheus/templates/htpasswd-secret.yaml rename to helm/istio/templates/htpasswd-secret.yaml index 196b8e38caf..b6240e0c167 100644 --- a/helm/istio/charts/prometheus/templates/htpasswd-secret.yaml +++ b/helm/istio/templates/htpasswd-secret.yaml @@ -1,13 +1,14 @@ apiVersion: v1 data: auth: "" + rawPassword: "" kind: Secret metadata: - name: prometheus-htpasswd + name: htpasswd namespace: {{ .Release.Namespace }} labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} + app: istio + chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} type: Opaque diff --git a/pkg/controller/servicemesh/controlplane/hooks.go b/pkg/controller/servicemesh/controlplane/hooks.go index fd720f284ae..eeb9e83d5b7 100644 --- a/pkg/controller/servicemesh/controlplane/hooks.go +++ b/pkg/controller/servicemesh/controlplane/hooks.go @@ -54,8 +54,8 @@ func (r *ControlPlaneReconciler) preprocessObject(object *unstructured.Unstructu return r.patchGrafanaConfig(object) } case "Secret": - if object.GetName() == "prometheus-htpasswd" { - return r.patchPrometheusHtpasswd(object) + if object.GetName() == "htpasswd" { + return r.patchHtpasswdSecret(object) } } return nil @@ -170,6 +170,19 @@ func (r *ControlPlaneReconciler) patchKialiConfig(object *unstructured.Unstructu return fmt.Errorf("could not set grafana enabled flag in kiali CR: %s", err) } + rawPassword, err := r.getRawHtPasswd(object) + if err != nil { + return err + } + err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "grafana", "auth", "password") + if err != nil { + return fmt.Errorf("could not set grafana password in kiali CR: %s", err) + } + err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "prometheus", "auth", "password") + if err != nil { + return fmt.Errorf("could not set prometheus password in kiali CR: %s", err) + } + return nil } diff --git a/pkg/controller/servicemesh/controlplane/grafana.go b/pkg/controller/servicemesh/controlplane/htpasswd.go similarity index 73% rename from pkg/controller/servicemesh/controlplane/grafana.go rename to pkg/controller/servicemesh/controlplane/htpasswd.go index f221a345c56..8a5eb4e897f 100644 --- a/pkg/controller/servicemesh/controlplane/grafana.go +++ b/pkg/controller/servicemesh/controlplane/htpasswd.go @@ -14,20 +14,20 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) -func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Unstructured) error { +func (r *ControlPlaneReconciler) patchHtpasswdSecret(object *unstructured.Unstructured) error { var rawPassword, auth string htSecret := &corev1.Secret{} - err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret) + err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret) if err == nil { rawPassword = string(htSecret.Data["rawPassword"]) auth = string(htSecret.Data["auth"]) } else { - r.Log.Info("Creating Prometheus HTPasswd entry", object.GetKind(), object.GetName()) + r.Log.Info("Creating HTPasswd entry", object.GetKind(), object.GetName()) rawPassword, err = generatePassword(255) if err != nil { - r.Log.Error(err, "failed to generate the Prometheus password") + r.Log.Error(err, "failed to generate the HTPasswd password") return err } h := sha1.New() @@ -41,19 +41,30 @@ func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Un // We store the raw password in order to be able to retrieve it below, when patching Grafana ConfigMap err = unstructured.SetNestedField(object.UnstructuredContent(), b64Password, "data", "rawPassword") if err != nil { - r.Log.Error(err, "failed to set prometheus raw password") + r.Log.Error(err, "failed to set htpasswd raw password") return err } err = unstructured.SetNestedField(object.UnstructuredContent(), b64Auth, "data", "auth") if err != nil { - r.Log.Error(err, "failed to set prometheus htpasswd entry") + r.Log.Error(err, "failed to set htpasswd auth entry") return err } return nil } +func (r *ControlPlaneReconciler) getRawHtPasswd(object *unstructured.Unstructured) (string, error) { + htSecret := &corev1.Secret{} + err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret) + if err != nil { + r.Log.Error(err, "error retrieving htpasswd Secret") + return "", err + } + + return string(htSecret.Data["rawPassword"]), nil +} + func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstructured) error { dsYaml, found, err := unstructured.NestedString(object.UnstructuredContent(), "data", "datasources.yaml") if err != nil || !found { @@ -63,14 +74,10 @@ func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstruc r.Log.Info("patching Grafana-Prometheus link", object.GetKind(), object.GetName()) - // Retrieve the raw password created when processing Prometheus charts - htSecret := &corev1.Secret{} - err = r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret) + rawPassword, err := r.getRawHtPasswd(object) if err != nil { - r.Log.Error(err, "error retrieving prometheus-htpasswd Secret") return err } - rawPassword := string(htSecret.Data["rawPassword"]) var re = regexp.MustCompile("(?s)(basicAuthPassword:).*?\n") dsYaml = re.ReplaceAllString(dsYaml, fmt.Sprintf("${1} %s\n", rawPassword)) diff --git a/tmp/build/patch-grafana.sh b/tmp/build/patch-grafana.sh index 3a38d980cf4..8a6832c4fc4 100755 --- a/tmp/build/patch-grafana.sh +++ b/tmp/build/patch-grafana.sh @@ -28,15 +28,17 @@ function grafana_patch_deployment() { volumeMounts:\ - mountPath: /etc/tls/private\ name: secret-grafana-tls\ + - mountPath: /etc/proxy/htpasswd\ + name: secret-htpasswd\ args:\ - -provider=openshift\ - -https-address=:3001\ - -http-address=\ - -email-domain=*\ - -upstream=http://localhost:3000\ + - -htpasswd-file=/etc/proxy/htpasswd/auth\ + - -display-htpasswd-form=false\ - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\ - - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\ - - -skip-auth-regex=^/metrics\ - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\ - -openshift-service-account=grafana\ - -cookie-secret=SECRET\ @@ -49,7 +51,11 @@ function grafana_patch_deployment() { - name: secret-grafana-tls\ secret:\ defaultMode: 420\ - secretName: grafana-tls' \ + secretName: grafana-tls\ + - name: secret-htpasswd\ + secret:\ + defaultMode: 420\ + secretName: htpasswd' \ -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: grafana\ \1containers:\2/' \ -e '/- if \.Values\.security\.enabled/,/- end/ { d }' \ diff --git a/tmp/build/patch-prometheus.sh b/tmp/build/patch-prometheus.sh index 8cf936e61fe..9cd687b1780 100644 --- a/tmp/build/patch-prometheus.sh +++ b/tmp/build/patch-prometheus.sh @@ -24,7 +24,7 @@ function prometheus_patch_deployment() { - mountPath: /etc/tls/private\ name: secret-prometheus-tls\ - mountPath: /etc/proxy/htpasswd\ - name: secret-prometheus-htpasswd\ + name: secret-htpasswd\ args:\ - -provider=openshift\ - -https-address=:3001\ @@ -34,8 +34,6 @@ function prometheus_patch_deployment() { - -htpasswd-file=/etc/proxy/htpasswd/auth\ - -display-htpasswd-form=false\ - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\ - - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\ - - -skip-auth-regex=^/metrics\ - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\ - -openshift-service-account=prometheus\ - -cookie-secret=SECRET\ @@ -49,10 +47,10 @@ function prometheus_patch_deployment() { secret:\ defaultMode: 420\ secretName: prometheus-tls\ - - name: secret-prometheus-htpasswd\ + - name: secret-htpasswd\ secret:\ defaultMode: 420\ - secretName: prometheus-htpasswd' \ + secretName: htpasswd' \ -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: prometheus\ \1containers:\2/' \ ${HELM_DIR}/istio/charts/prometheus/templates/deployment.yaml