Bearer Token Auth via kubernetes Apiserver #445
Conversation
shawn-hurley
requested review from
jmrodri,
jwmatthews,
eriknelson and
rthallisey
shawn-hurley
force-pushed
the
apiserver
branch
from
b74e290
to
96f8e1c
Compare
pkg/clients/kubernetes.go
Outdated
| @@ -24,7 +24,7 @@ import ( | |||
| "errors" | |||
|
|
|||
| logging "github.com/op/go-logging" | |||
| restclient "k8s.io/client-go/rest" | |||
| "k8s.io/client-go/rest" | |||
|
|
|||
There was a problem hiding this comment.
can you move this down with the other k8s.io imports
pkg/handler/handler.go
Outdated
| h := handler{ | ||
| router: *mux.NewRouter(), | ||
| broker: b, | ||
| log: log, | ||
| brokerConfig: brokerConfig, | ||
| } | ||
| s := h.router.PathPrefix(prefix).Subrouter() | ||
|
|
||
| // TODO: Reintroduce router restriction based on API version when settled upstream |
There was a problem hiding this comment.
This covers the TODO here.
There was a problem hiding this comment.
can you explain?
There was a problem hiding this comment.
I thought 104 covered this todo. But, I think I'm confusing a Headers and a pathprefix. They aren't related.
pkg/handler/handler_test.go
Outdated
| @@ -145,14 +145,14 @@ func init() { | |||
|
|
|||
| func TestNewHandler(t *testing.T) { | |||
| testb := MockBroker{Name: "testbroker"} | |||
| testhandler := NewHandler(testb, log, brokerConfig) | |||
| testhandler := NewHandler(testb, log, brokerConfig, "") | |||
There was a problem hiding this comment.
It might be worth adding a prefix to the test.
|
|
||
| - apiVersion: servicecatalog.k8s.io/v1alpha1 | ||
| kind: ${BROKER_KIND} | ||
| metadata: | ||
| name: ansible-service-broker | ||
| spec: | ||
| url: ${ASB_SCHEME}://asb-1338-ansible-service-broker.${ROUTING_SUFFIX} | ||
| url: https://asb.ansible-service-broker.svc:1338/ansible-service-broker/ |
There was a problem hiding this comment.
This makes it a requirement to use https. I'm not against that, but then ASB_SCHEME should be removed.
Another way to do this is keep ASB_SCHEME and BROKER_AUTH in place but change BROKER_AUTH to:
value: '{ "bearer": { "secretRef": { "kind": "Secret", "namespace": "ansible-service-broker", "name": "ansible-service-broker" } } }'There was a problem hiding this comment.
You also aren't using BROKER_URL_PREFIX
| "time" | ||
|
|
||
| kapierrors "k8s.io/apimachinery/pkg/api/errors" | ||
| "k8s.io/apimachinery/pkg/runtime" |
There was a problem hiding this comment.
Nit: Can you organize this so that imports with a name are together and those without a name are together.
kapierrors "k8s.io/apimachinery/pkg/api/errors"
kubeversiontypes "k8s.io/apimachinery/pkg/version"
...
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apimachinery/pkg/util/wait"
...There was a problem hiding this comment.
go imports organize the imports like this I would prefer to continue to use go imports.
Does anyone else have any thoughts?
There was a problem hiding this comment.
It's the style we've been using. I don't mind changing it.
There was a problem hiding this comment.
we could name them all and goimports will be fine. The problem with changing it is that @shawn-hurley and myself will flip it back when we save the file again. Not sure if there's a way to configure goimports. And I'd hate to stop using it since it does so much for me automatically.
pkg/app/app.go
Outdated
| clusterURL = a.config.Broker.ClusterURL | ||
| } | ||
| } else { | ||
| clusterURL = ClusterURLPreFix |
There was a problem hiding this comment.
Nit: Can you change ClusterURLPreFix to something like DefaultClusterURLPrefix
pkg/app/app.go
Outdated
| genericserver.Handler.NonGoRestfulMux.HandlePrefix(fmt.Sprintf("%v/", clusterURL), daHandler) | ||
| a.log.Notice("Listening on https://%s", genericserver.SecureServingInfo.BindAddress) | ||
|
|
||
| a.log.Notice("Starting apiserver") |
There was a problem hiding this comment.
Shouldn't we note the Broker is started here? a.log.Notice("Ansible Service Broker Started")
There was a problem hiding this comment.
I mean it does not actually start until the next line and could fail. I would prefer to make it a.log.Notice("Ansible Service Broker Starting")? is that agreeable?
pkg/app/app.go
Outdated
| err = genericserver.PrepareRun().Run(wait.NeverStop) | ||
| a.log.Errorf("unable to wait on run - %v", err) | ||
|
|
||
| //TODO: Add Flag so we can still use the old way of doing this. |
There was a problem hiding this comment.
I don't this it's necessary to also support the old way.
shawn-hurley
force-pushed
the
apiserver
branch
from
a93113e
to
810a13f
Compare
| @@ -30,7 +30,6 @@ import ( | |||
| type Args struct { | |||
| ConfigFile string `short:"c" long:"config" description:"Config File" default:"/etc/ansible-service-broker/config.yaml"` | |||
| Version bool `short:"v" long:"version" description:"Print version information"` | |||
| Insecure bool `long:"insecure" description:"Run Ansible Service Broker in insecure mode."` | |||
There was a problem hiding this comment.
This is going to require a change in catasb.
There was a problem hiding this comment.
I have the branch in my repo and will be posting a PR soon.
|
@shawn-hurley I'm going to mess around with this a little by hand and get back to you. I also want to make sure the gate passes on this which will require #446 |
There was a problem hiding this comment.
I've seen most of this code. I'm not a fan of this whole apiserver idea. I find it annoying that in order to integrate with an apiserver that serves basically as a proxy that I have to change the architecture of my application.
This is how folks want it, then so be it. Approval from me of this PR is not an acceptance consider it a ACK under Protest.
|
@jmrodri How close is your alternative to working? I'd like to evaluate both options. |
|
@rthallisey it's been decided to go with Shawn's approach for delegated auth. This is what the project needs at this point in time. We are not pursuing the alternative approach. |
|
@rthallisey like @jwmatthews mentioned it's been decided for us. I've deleted the bearerauth branch I had going. |
|
@shawn-hurley does basic auth still work? because that's what the current spec supports. |
shawn-hurley
force-pushed
the
apiserver
branch
from
810a13f
to
b341229
Compare
|
@jmrodri adding the ability that if basic auth if set, then we will use that instead of bearer token auth. This makes sense because if you set both authentication types on the I still think that our default should be bearer token auth. |
|
I expect default workflow will want Bearer Token Auth as well |
shawn-hurley
force-pushed
the
apiserver
branch
from
b341229
to
b7b2f31
Compare
|
LGTM There are some followup items but this is in line with our discussions. |
There was a problem hiding this comment.
ACK. Not my preferred path forwards but it sounds like this is simply required. Well done @shawn-hurley, no nits from me from my rudimentary skim.
pkg/app/app.go
Outdated
| } | ||
| daHandler := handler.NewHandler(a.broker, a.log.Logger, a.config.Broker, clusterURL) | ||
|
|
||
| genericserver.Handler.NonGoRestfulMux.HandlePrefix(fmt.Sprintf("%v/", clusterURL), daHandler) | ||
| a.log.Notice("Listening on https://%s", genericserver.SecureServingInfo.BindAddress) | ||
|
|
||
| a.log.Notice("Starting apiserver") | ||
| a.log.Notice("Ansible Serivce Broker Starting") |
|
Corresponding catasb change: fusor/catasb#142 |
shawn-hurley
force-pushed
the
apiserver
branch
from
b7b2f31
to
dd9086f
Compare
shawn-hurley
force-pushed
the
apiserver
branch
from
330eb31
to
8361c24
Compare
* more stupid changes * broker runs but does not stay up.
* No support for insecure. * if no certs given will generate its own * ignor the folder that the certs get generated too
* Still trying to remove insecure broker code.
* template and catasb are still defaulting for bearer token auth.
* getting gate build working
shawn-hurley
force-pushed
the
apiserver
branch
from
8361c24
to
cb80aca
Compare
* apiserver work * updated glide yaml/lock * update vendor to match the new glide values * Create and return genericapiserver from ApiServer method * more stupid changes * broker runs but does not stay up. * add natefinch dep * getting genericapiserver working. * making the initialization a little cleaner. * No support for insecure. * if no certs given will generate its own * ignor the folder that the certs get generated too * Working deploy template and apiserver * addressing pr comments. * Still trying to remove insecure broker code. * Adding ability for basic auth to override the bearer token auth. * template and catasb are still defaulting for bearer token auth. * adding temporary template to be used for a couple of days * fixing gate build for a couple of days * Adding ability to serve at the root url * getting gate build working * fixing build. going back to a single deployment template
* apiserver work * updated glide yaml/lock * update vendor to match the new glide values * Create and return genericapiserver from ApiServer method * more stupid changes * broker runs but does not stay up. * add natefinch dep * getting genericapiserver working. * making the initialization a little cleaner. * No support for insecure. * if no certs given will generate its own * ignor the folder that the certs get generated too * Working deploy template and apiserver * addressing pr comments. * Still trying to remove insecure broker code. * Adding ability for basic auth to override the bearer token auth. * template and catasb are still defaulting for bearer token auth. * adding temporary template to be used for a couple of days * fixing gate build for a couple of days * Adding ability to serve at the root url * getting gate build working * fixing build. going back to a single deployment template
Describe what this PR does and why we need it:
Sets up ASB with the apiserver kubernetes project.
Changes proposed in this pull request
servicecatalog.ServiceBrokerwith bearer token auth from a secret generated for a service accountinsecureargument.Does this PR depend on another PR (Use this to track when PRs should be merged)
depends-on
fusor/catasb#142
Will neeed another PR for Documentation update.