cacheroach: Add OIDC user provisioning.

This change allows cacheroach use an OpenID Connect provider to automatically provision users and removes password-based authentication from cacheroach. OIDC-derived Principals will use the "offline" authentication flow, allowing for ongoing revalidation of the upstream user account. It is still possible to create principals that do not have a backing OIDC account to use as role accounts for automation.
bobvawter · Mar 18, 2021 · e544447 · e544447
1 parent 24ad292
commit e544447
Show file tree

Hide file tree

Showing 50 changed files with 1,460 additions and 1,288 deletions.
diff --git a/Dockerfile.gcr b/Dockerfile.gcr
@@ -3,10 +3,14 @@
 #
 # Prerequisites:
 #  * Add https://cloud.google.com/secret-manager to your project
+#  * Create a web-application OAuth 2.0 Client ID. You may have to also
+#    configure the OAuth consent screen for your GCP project.
 #  * Upload a tar.gz file containing the following files
 #    * ca.crt: Your CockroachDB CA certificate
 #    * hmac: Some BASE64-encoded random data for signing JWT tokens
 #    * connect: A plain-text file containing the connection URL
+#    * oidc_client_id: An OAuth2 web-services client ID
+#    * oidc_client_secret: An OAuth2 web-services client secret
 #  * Create a "Serverless VPC Connector" unless you access your
 #    database over the public Internet.
 #  * If using Cockroach Cloud, enable VPC peering between your project
@@ -22,20 +26,33 @@
 # The disk cache is not enabled, since the Cloud Run disk is an
 # in-memory filesystem that counts against the total memory budget.
 
-FROM golang:1.15 AS builder
+FROM golang:1.16 AS builder
 WORKDIR /tmp/compile
 COPY . .
 RUN CGO_ENABLED=0 go build -v -ldflags="-s -w" -o /usr/bin/cacheroach .
 
 FROM scratch
 # Expect $PORT from Cloud Run environment.
-ENV CACHE_MEMORY="128" CONNECT="@connect" GCLOUD_SECRET_NAME="" HMAC="@hmac"
+ENV CACHE_MEMORY="128" \
+    CONNECT="@connect" \
+    GCLOUD_SECRET_NAME="" \
+    HMAC="@hmac" \
+    OIDC_CLIENT_ID="@oidc_client_id" \
+    OIDC_CLIENT_SECRET="@oidc_client_secret" \
+    OIDC_DOMAINS="cockroachlabs.com" \
+    OIDC_ISSUER="https://accounts.google.com"
+
 ENTRYPOINT [ \
   "/usr/bin/cacheroach", \
   "start", \
+  "--assumeSecure", \
   "--bindAddr", ":$PORT", \
   "--cacheMemory", "$CACHE_MEMORY", \
   "--connect", "$CONNECT", \
+  "--oidcClientID", "$OIDC_CLIENT_ID", \
+  "--oidcClientSecret", "$OIDC_CLIENT_SECRET", \
+  "--oidcDomains", "$OIDC_DOMAINS", \
+  "--oidcIssuer", "$OIDC_ISSUER", \
   "--signingKey", "$HMAC" \
 ]
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

diff --git a/api/auth.proto b/api/auth.proto
diff --git a/api/auth/auth.pb.go b/api/auth/auth.pb.go