Add support for http(s)_proxy for use in k8s authenticator

cyberark · Feb 9, 2022 · de1f890 · de1f890
1 parent 05ddcb9
commit de1f890
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added support for SNI certificates when talking to the Kubernetes API 
   server through the web socket client.
   [ONYX-14386](https://ca-il-jira.il.cyber-ark.com:8443/browse/ONYX-14386)
+- Added support for http(s)_proxy for Kubernetes client in Kubernetes 
+  authentiator
+  [ONYX-16433](https://ca-il-jira.il.cyber-ark.com:8443/browse/ONYX-16433)
 
 ## [1.17.0] - 2022-02-09
 

diff --git a/app/domain/authentication/authn_k8s/k8s_object_lookup.rb b/app/domain/authentication/authn_k8s/k8s_object_lookup.rb
@@ -59,7 +59,8 @@ def options
           ssl_options: {
             cert_store: @cert_store,
             verify_ssl: OpenSSL::SSL::VERIFY_PEER
-          }
+          },
+          http_proxy_uri: ENV['https_proxy'] ? ENV['https_proxy'] : ENV['http_proxy']
         }
       end
 

diff --git a/ci/authn-k8s/.gitignore b/ci/authn-k8s/.gitignore
@@ -4,3 +4,5 @@ dev/tls/*.crt
 nginx.crt
 /output/
 dev/**/*.openshift.yml
+sni.crt
+sni.out
diff --git a/ci/authn-k8s/build_locally.sh b/ci/authn-k8s/build_locally.sh
@@ -2,6 +2,11 @@
 
 sni_cert=$1
 
+# Set up VERSION file for local development
+if [ ! -f "../../VERSION" ]; then
+  echo -n "0.0.dev" > ../../VERSION
+fi
+
 if [[ ! -z "$sni_cert" ]]; then
   sni_cert="$(realpath $1)"
 fi

diff --git a/ci/authn-k8s/dev/Dockerfile.tinyproxy b/ci/authn-k8s/dev/Dockerfile.tinyproxy
@@ -0,0 +1,3 @@
+FROM travix/tinyproxy:latest
+
+COPY proxy/tinyproxy.conf /etc/tinyproxy.conf
diff --git a/ci/authn-k8s/dev/dev_conjur_http_proxy.template.yaml b/ci/authn-k8s/dev/dev_conjur_http_proxy.template.yaml
@@ -0,0 +1,88 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: conjur-authn-k8s
+  labels:
+    app: conjur-authn-k8s
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: conjur-authn-k8s
+  template:
+    metadata:
+      labels:
+        app: conjur-authn-k8s
+    spec:
+      containers:
+      - image: {{ CONJUR_AUTHN_K8S_TAG }}
+        imagePullPolicy: Always
+        name: conjur
+        command: ["conjurctl", "server"]
+        env:
+        - name: DATABASE_URL
+          value: postgres://postgres@postgres:5432/postgres
+        - name: CONJUR_ADMIN_PASSWORD
+          value: admin
+        - name: CONJUR_ACCOUNT
+          value: cucumber
+        - name: CONJUR_DATA_KEY
+          value: "{{ DATA_KEY }}"
+        - name: RAILS_ENV
+          value: test
+        # Enable coverage tracking.
+        - name: REQUIRE_SIMPLECOV
+          value: "true"
+        # Sleep after generating the coverage report to keep the pod alive
+        # so the report can be retrieved.
+        - name: SIMPLECOV_SLEEP
+          value: "true"
+        - name: WEB_CONCURRENCY
+          value: "0"
+        - name: RAILS_MAX_THREADS
+          value: "10"
+        - name: CONJUR_AUTHENTICATORS
+          value: authn-k8s/minikube
+        - name: https_proxy
+          value: 'http://tinyproxy:8888'
+        volumeMounts:
+          - mountPath: /run/authn-local
+            name: authn-local
+      volumes:
+        - name: authn-local
+          emptyDir:
+            medium: Memory
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tinyproxy
+  labels:
+    app: tinyproxy
+spec:
+  ports:
+    - port: 8888
+      name: http
+  selector:
+    app: tinyproxy
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tinyproxy
+  labels:
+    app: tinyproxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tinyproxy
+  template:
+    metadata:
+      labels:
+        app: tinyproxy
+    spec:
+      containers:
+        - name: tinyproxy
+          image: {{TINYPROXY_TAG}}
+          imagePullPolicy: Always
diff --git a/ci/authn-k8s/dev/proxy/tinyproxy.conf b/ci/authn-k8s/dev/proxy/tinyproxy.conf
@@ -0,0 +1,15 @@
+User tinyproxy
+Group tinyproxy
+Port 8888
+Timeout 600
+DefaultErrorFile "/usr/share/tinyproxy/default.html"
+StatHost "tinyproxy.stats"
+LogFile "/var/log/tinyproxy/tinyproxy.log"
+LogLevel Info
+MaxClients 100
+MinSpareServers 5
+MaxSpareServers 20
+StartServers 10
+MaxRequestsPerChild 0
+
+ViaProxyName "tinyproxy"
diff --git a/ci/authn-k8s/test.sh b/ci/authn-k8s/test.sh
@@ -11,7 +11,9 @@ PLATFORM="$1"  # k8s platform
 function main() {
   setupTestEnvironment $PLATFORM
 
-  createNginxCert
+  createNginxCerts
+
+  fetchSNICertificate
 
   fetchSNICertificate
 
@@ -30,6 +32,21 @@ function main() {
   esac
 }
 
+function fetchSNICertificate() {
+#  docker run --rm -i \
+#         -w /home -v $PWD/dev/tls:/home \
+#         svagi/openssl req\
+#         -x509 \
+#         -nodes \
+#         -days 365 \
+#         -newkey rsa:2048 \
+#         -config /home/tls.conf \
+#         -extensions v3_ca \
+#         -keyout nginx.key \
+#         -out nginx.crt
+  echo "Fetching the SNI certificate"
+}
+
 function setupTestEnvironment() {
   local platform="$1"
 
@@ -57,9 +74,11 @@ function setupTestEnvironment() {
   export INVENTORY_TAG="${DOCKER_REGISTRY_PATH}/inventory:$CONJUR_AUTHN_K8S_TEST_NAMESPACE"
 
   export NGINX_TAG="${DOCKER_REGISTRY_PATH}/nginx:$CONJUR_AUTHN_K8S_TEST_NAMESPACE"
+  export TINYPROXY_TAG="${DOCKER_REGISTRY_PATH}/tinyproxy:$CONJUR_AUTHN_K8S_TEST_NAMESPACE"
+
 }
 
-function createNginxCert() {
+function createNginxCerts() {
   docker pull svagi/openssl
 
   docker run --rm -i \
@@ -119,6 +138,7 @@ function buildDockerImages() {
     dev
 
   docker build -t "$NGINX_TAG" -f dev/Dockerfile.nginx dev
+  docker build -t "$TINYPROXY_TAG" -f dev/Dockerfile.tinyproxy dev
 
   docker build --build-arg OPENSHIFT_CLI_URL="$OPENSHIFT_CLI_URL" \
     -t "$CONJUR_AUTHN_K8S_TESTER_TAG" -f dev/Dockerfile.test dev
@@ -165,6 +185,7 @@ function test_openshift() {
     -e INVENTORY_TAG \
     -e INVENTORY_BASE_TAG \
     -e NGINX_TAG \
+    -e TINYPROXY_TAG \
     -e CONJUR_AUTHN_K8S_TEST_NAMESPACE \
     -e PLATFORM \
     -e K8S_VERSION \

diff --git a/ci/authn-k8s/test_oc_entrypoint.sh b/ci/authn-k8s/test_oc_entrypoint.sh
@@ -22,8 +22,8 @@ function finish {
 
   sleep 5
 
-  oc adm policy remove-scc-from-user anyuid -z default
-  oc --ignore-not-found=true delete project $CONJUR_AUTHN_K8S_TEST_NAMESPACE
+  #oc adm policy remove-scc-from-user anyuid -z default
+  #oc --ignore-not-found=true delete project $CONJUR_AUTHN_K8S_TEST_NAMESPACE
 }
 
 export TEMPLATE_TAG="$PLATFORM."
@@ -44,10 +44,15 @@ function main() {
   loadConjurPolicies
   launchInventoryServices
 
+  resetLogFile
   runTests
   finish
 }
 
+function resetLogFile() {
+  cat /dev/null > "output/$PLATFORM-authn-k8s-logs.txt"
+}
+
 function printLogs() {
   {
     pod_name=$(retrieve_pod conjur-authn-k8s)
@@ -58,14 +63,14 @@ function printLogs() {
       kubectl cp $pod_name:/src/authn-k8s/output output
 
       echo "Logs from Conjur Pod $pod_name:"
-      oc logs $pod_name > "output/$PLATFORM-authn-k8s-logs.txt"
+      oc logs $pod_name >> "output/$PLATFORM-authn-k8s-logs.txt"
 
       # Rails.logger writes the logs to the environment log file
       oc exec $pod_name -- bash -c "cat /opt/conjur-server/log/test.log" >> "output/$PLATFORM-authn-k8s-logs.txt"
 
       echo "Printing Logs from Conjur to the console"
       echo "==========================="
-      cat "output/$PLATFORM-authn-k8s-logs.txt"
+      #cat "output/$PLATFORM-authn-k8s-logs.txt"
       echo "==========================="
     fi
   } || {
@@ -129,6 +134,7 @@ function pushDockerImages() {
   docker push "$CONJUR_TEST_AUTHN_K8S_TAG"
   docker push "$INVENTORY_TAG"
   docker push "$NGINX_TAG"
+  docker push "$TINYPROXY_TAG"
 }
 
 function launchConjurMaster() {
@@ -176,8 +182,8 @@ function loadConjurPolicies() {
   oc exec $conjur_pod -- rake authn_k8s:ca_init["conjur/authn-k8s/minikube"]
 
   # set test password value
-#  password=$(openssl rand -hex 12)
-#  conjurcmd conjur variable values add inventory-db/password $password
+  #password=$(openssl rand -hex 12)
+  #conjurcmd conjur variable values add inventory-db/password $password
 }
 
 function launchInventoryServices() {
@@ -222,7 +228,7 @@ function runTests() {
 
   conjurcmd mkdir -p /opt/conjur-server/output
 
-  run_cucumber "~@skip --tags ~@k8s_skip --tags ~@sni_fails --tags ~@sni_success"
+  run_cucumber "~@skip --tags ~@k8s_skip --tags ~@sni_fails --tags ~@sni_success --tags ~@http_proxy"
 
   printLogs
 
@@ -240,6 +246,12 @@ function runTests() {
   run_cucumber "@sni_success"
 
   printLogs
+
+  run_conjur_master "dev_conjur_http_proxy"
+
+  run_cucumber "@http_proxy"
+
+  printLogs
 }
 
 function retrieve_pod() {
@@ -264,6 +276,8 @@ function run_conjur_master() {
     sed -e "s#{{ KUBERNETES_API_FQDN }}#$api_fqdn#g" |
     oc apply -f -
 
+  sleep 5
+
   conjur_pod=$(retrieve_pod conjur-authn-k8s)
 
   wait_for_it 300 "oc describe po $conjur_pod | grep Status: | grep -q Running"

diff --git a/cucumber/kubernetes/features/http_proxy.feature b/cucumber/kubernetes/features/http_proxy.feature
@@ -0,0 +1,8 @@
+Feature: A permitted Conjur host can authenticate with a valid resource restrictions
+  that is defined in the id and the kubernetes host can be reached through a
+  http_proxy
+
+  @http_proxy
+  Scenario: Authenticate as a Pod.
+    Given I can login to pod matching "app=inventory-pod" to authn-k8s as "*/*"
+    Then I can authenticate pod matching "pod/inventory-pod" with authn-k8s as "*/*"