Skip to content

MCS service account authentication with Mkube #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 23, 2020
Merged

MCS service account authentication with Mkube #166

merged 1 commit into from
Jun 23, 2020

Conversation

Alevsk
Copy link
Contributor

@Alevsk Alevsk commented Jun 12, 2020
edited
Loading

MCS will authenticate against Mkubeusing bearer tokens via HTTP
Authorization header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided JWT token corresponds to the Kubernetes service account
that Mkube will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to Mkube you can set MCS_M3_HOSTNAME, if
the environment variable is not present by default MCS will use
"http://m3:8787", additionally you will need to set the
MCS_MKUBE_ADMIN_ONLY=on variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the m3-sa
service account, you can get the token running
the following command in your terminal:

kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode

Then run the mcs server

MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the MCS_M3_SERVER_TLS_CA_CERTIFICATE env variable

MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server

@Alevsk Alevsk self-assigned this Jun 12, 2020
@cesnietor
Copy link
Collaborator

I'm testing it with m3 using minio/m3#407,
but I'm getting this error when creating a tenant, not sure if it is related:

{"code":415,"message":"unsupported media type \"application/octet-stream\", only [application/json] are allowed"}

@cesnietor
Copy link
Collaborator

not happening with master

@Alevsk
Copy link
Contributor Author

Alevsk commented Jun 15, 2020

I'm testing it with m3 using minio/m3#407,
but I'm getting this error when creating a tenant, not sure if it is related:

{"code":415,"message":"unsupported media type \"application/octet-stream\", only [application/json] are allowed"}

do you know which request its getting this response? this seems to be mirroring but that endpoint got removed since minio-operator removed that functionality itself

@cesnietor
Copy link
Collaborator

I'm testing it with m3 using minio/m3#407,
but I'm getting this error when creating a tenant, not sure if it is related:

{"code":415,"message":"unsupported media type \"application/octet-stream\", only [application/json] are allowed"}

do you know which request its getting this response? this seems to be mirroring but that endpoint got removed since minio-operator removed that functionality itself

it was while doing POST on /api/v1/mkube/tenants/

dvaldivia
dvaldivia previously approved these changes Jun 19, 2020
View reviewed changes
@Alevsk Alevsk force-pushed the sa-authentication branch from 4a5e3fb to 65ec350 Compare June 19, 2020 22:28
dvaldivia
dvaldivia previously approved these changes Jun 21, 2020
View reviewed changes
@Alevsk Alevsk force-pushed the sa-authentication branch 2 times, most recently from 3a336bd to d68a456 Compare June 23, 2020 07:06
@Alevsk Alevsk requested a review from dvaldivia June 23, 2020 07:08
@Alevsk
Copy link
Contributor Author

Alevsk commented Jun 23, 2020

I'm testing it with m3 using minio/m3#407,
but I'm getting this error when creating a tenant, not sure if it is related:

{"code":415,"message":"unsupported media type \"application/octet-stream\", only [application/json] are allowed"}

I included the fix for this on this PR, please review

bexsoft
bexsoft requested changes Jun 23, 2020
View reviewed changes
Copy link
Collaborator

@bexsoft bexsoft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionality works good, tests need to be fixed:

	/opt/hostedtoolcache/go/1.14.4/x64/src/testing/testing.go:940 +0x421
testing.tRunner.func1(0xc00010cb40)
	/opt/hostedtoolcache/go/1.14.4/x64/src/testing/testing.go:943 +0x600
panic(0x235a300, 0x43314b0)
	/opt/hostedtoolcache/go/1.14.4/x64/src/runtime/panic.go:975 +0x3e3
bytes.(*Buffer).ReadFrom(0xc0001e7860, 0x0, 0x0, 0x0, 0x0, 0xc000470b20)
	/opt/hostedtoolcache/go/1.14.4/x64/src/bytes/buffer.go:204 +0x122
github.com/minio/mcs/restapi.serverMkube(0xc0001e6b70, 0x2c65d80, 0xc0005806c0, 0xc00041ed00)
	/home/runner/work/mcs/mcs/restapi/mkube.go:50 +0x445
github.com/minio/mcs/restapi.Test_serverMkube.func4(0xc00010cb40)
	/home/runner/work/mcs/mcs/restapi/mkube_test.go:155 +0xcd
testing.tRunner(0xc00010cb40, 0xc0002f64d0)
	/opt/hostedtoolcache/go/1.14.4/x64/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
	/opt/hostedtoolcache/go/1.14.4/x64/src/testing/testing.go:1042 +0x661
FAIL	github.com/minio/mcs/restapi	12.326s
?   	github.com/minio/mcs/restapi/operations	[no test files]
?   	github.com/minio/mcs/restapi/operations/admin_api	[no test files]
?   	github.com/minio/mcs/restapi/operations/user_api	[no test files]
FAIL
Makefile:42: recipe for target 'test' failed
make: *** [test] Error 1

@Alevsk
MCS service account authentication with Mkube
b640743 
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
@Alevsk Alevsk force-pushed the sa-authentication branch from d68a456 to b640743 Compare June 23, 2020 17:44
@Alevsk Alevsk requested a review from bexsoft June 23, 2020 17:45
bexsoft
bexsoft approved these changes Jun 23, 2020
View reviewed changes
Copy link
Collaborator

@bexsoft bexsoft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cesnietor
Copy link
Collaborator

Can you please update the commit comments, seems that they changed

cesnietor
cesnietor approved these changes Jun 23, 2020
View reviewed changes
Copy link
Collaborator

@cesnietor cesnietor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Alevsk Alevsk merged commit 1e7f272 into minio:master Jun 23, 2020
@Alevsk Alevsk deleted the sa-authentication branch June 23, 2020 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cesnietor cesnietor cesnietor approved these changes

@bexsoft bexsoft bexsoft approved these changes

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

@dvaldivia dvaldivia Awaiting requested review from dvaldivia

Assignees

@Alevsk Alevsk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Alevsk @cesnietor @dvaldivia @bexsoft