GKE: Restrict Oauth authentication by domain suffix

[anguslees]

With Google-based Oauth, we need to additionally restrict the user in
some way - we don't want to allow just any Google account to access
the prometheus/kibana consoles.

This change adds a required flag to specify a Google email domain,
and oauth2 proxy will only allow Google users from this domain.

NB: This effectively restricts kubeprod to only supporting GSuite
accounts (@gmail.com is not useful), which is conceptually similar to
the AKS setup which allows only members from a particular Azure
tenant. Allowing a whitelist of specific (non-GSuite) Gmail accounts
instead is probably desirable, but postponed for a future change.

[falfaro]

And if you want to restrict inside a particular organisation who can and who cannot access Kibana/Prometheus, how does one do this?

Also, it would be nice to update the OAuth2 component documentation to reflect this change (behaviour). Could you also please do that?

[anguslees]

if you want to restrict inside a particular organisation who can and who cannot access Kibana/Prometheus, how does one do this?

I'm open to suggestions. oauth2-proxy supports domain restriction (as used here), and an explicit whitelist of usernames - and then it also has a bunch of provider-specific options, like "member of a google group" for Google.

Any of that can be used/configured via jsonnet overlays. The question we're really interested in here is what should we do for the default/simple kubeprod install case. I think a reasonable alternative to this PR is to take an explicit (comma separated) whitelist for all platforms, but that imposes yet another arg on all platforms just to fix what is mostly a GKE-specific issue (Google oauth is terrifyingly broad without an additional restriction - and we have no reasonable default for that restriction)

.. That was my thinking leading up to this specific PR. Very happy to entertain any alternative approaches. The immediate concern is that the current setup (email-domains=*) is not acceptable on GKE.

Also, it would be nice to update the OAuth2 component documentation to reflect this change (behaviour). Could you also please do that?

Yep. It's GKE-specific (as currently implemented). Shall I put that into the shared components doc, or a (yet to be written) gke-specific doc?

[falfaro]

Yep. It's GKE-specific (as currently implemented). Shall I put that into the shared components doc, or a (yet to be written) gke-specific doc?

Please document this in the docs/components.md file. We can actually implement this behaviour for AKS too (we currently use --email-domain="*" for AKS too) and then we don't need to treat GKE and AKS differently.

[sameersbn]

lgtm

[falfaro]

By the way, this PR is not backwards compatible. It actually breaks existing BKPR deployments that had a kubeprod-autogen.json that was generated by a kubeprod binary before this PR.

This is what I get when I try to run kubecfg update after updating to this PR:

$ kubecfg update kubeprod-manifest.jsonnet
ERROR Error reading kubeprod-manifest.jsonnet: RUNTIME ERROR: Field does not exist: authz_domain
        file:///Users/falfaro/go/src/github.com/bitnami/kube-prod-runtime/manifests/platforms/gke.jsonnet:110:35-67     object <anonymous>
        file:///Users/falfaro/go/src/github.com/bitnami/kube-prod-runtime/manifests/lib/kube.libsonnet:32:25-29 thunk from <thunk from <function <anonymous>>>
        <std>:659:15-22 thunk <val> from <function <format_codes_arr>>
        <std>:666:27-30 thunk from <thunk <s> from <function <format_codes_arr>>>
        <std>:536:22-25 thunk from <function <format_code>>
        <builtin>       builtin function <toString>
        <std>:666:15-60 thunk <s> from <function <format_codes_arr>>
        <std>:671:24-25 thunk from <thunk <s_padded> from <function <format_codes_arr>>>
        <std>:451:30-33 thunk from <thunk from <function <pad_left>>>
        <builtin>       builtin function <length>
        ...
        <std>:451:7-38  function <pad_left>
        <std>:451:7-44  function <pad_left>
        <std>:671:15-39 thunk <s_padded> from <function <format_codes_arr>>
        <std>:677:55-63 thunk from <function <format_codes_arr>>
        <std>:677:51-63 thunk from <function <format_codes_arr>>
        <std>:677:11-64 function <format_codes_arr>
        <std>:721:7-46  function <anonymous>
        <std>:203:7-23  function <anonymous>

        During manifestation