Skip to content

[WIP] authenticated microservices #1238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
petertrr wants to merge 90 commits into
base: master
Choose a base branch
from
Draft

[WIP] authenticated microservices #1238

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
8009db2
Improvements for Gradle build
petertrr Sep 15, 2022
d75fe3c
Switch `spring-cloud-kubernetes` implementation from `kubernetes-clie…
petertrr Sep 16, 2022
8796ed7
[skip ci] [WIP] App-to-app authentication using ServiceAccount tokens
petertrr Sep 16, 2022
3c4d60a
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Sep 29, 2022
90c27ca
[skip ci] WIP: authenticated microservices
petertrr Sep 29, 2022
b501eda
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 5, 2022
12f01d9
[skip ci] Extract sa-token mount into _helpers.tpl; fix path to the m…
petertrr Oct 5, 2022
bb7f1de
Read ConfigMap using Kubernetes fabric8 client
petertrr Oct 7, 2022
8e27f7d
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 7, 2022
6121181
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 11, 2022
2b0900d
[skip ci] Extract the WebClientCustomizer into save-cloud-common, plu…
petertrr Oct 11, 2022
415c4f6
[skip ci] Cleanup
petertrr Oct 11, 2022
1f0e8f8
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 14, 2022
09df217
[Helm] Set another port as a management port for all JVM services
petertrr Oct 14, 2022
c235283
[skip ci] WIP
petertrr Oct 14, 2022
5c12d11
Enable `@ConditionalOnCloudPlatform` for web client customizer bean
petertrr Oct 20, 2022
49a25a3
Handle error status code when uploading test suite source snapshot fr…
petertrr Oct 20, 2022
1de5b2f
Disable CSRF so that everything works
petertrr Oct 20, 2022
86dd0a9
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 20, 2022
e390516
[skip ci] Move KubernetesAuthenticationUtils to save-cloud-common
petertrr Oct 20, 2022
a612f55
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 20, 2022
148e053
[skip ci]
petertrr Oct 20, 2022
f9c0984
Minor refactoring of WebClientCustomizers
petertrr Oct 20, 2022
6f33194
Extension method for KubernetesAuthenticationUtils
petertrr Oct 20, 2022
23bead9
Code style
petertrr Oct 20, 2022
bc037cc
Merge branch 'master' into feature/authenticated-microservices
petertrr Oct 20, 2022
6b048b6
Apply `WebClientCustomizers` to all `WebClient`s; fix `!kubernetes` s…
petertrr Oct 21, 2022
bdf937a
Protect orchestrator and sandbox with SA Token Authorization
petertrr Oct 21, 2022
698e2a5
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 21, 2022
2579328
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Oct 24, 2022
20c7171
Code style
petertrr Oct 24, 2022
fdac9db
Merge branch 'master' into feature/authenticated-microservices
petertrr Oct 26, 2022
b69b3e4
Merge branch 'master' into feature/authenticated-microservices
petertrr Oct 27, 2022
39849e7
[skip ci] Fix bean name clash
petertrr Oct 27, 2022
c288726
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 7, 2022
e53392d
[skip ci] WIP: Restore security-related beans in a configuration class
petertrr Nov 9, 2022
2a6fd31
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 9, 2022
7a04db0
[skip ci] Cleanup after merge
petertrr Nov 9, 2022
15ae7e3
[skip ci] Resolve conflict between beans
petertrr Nov 9, 2022
92c4e01
[skip ci] Disable spring-security autoconfiguration on preprocessor; …
petertrr Nov 9, 2022
cd60fe4
[skip ci] Cleanup
petertrr Nov 10, 2022
b20dda2
Code style
petertrr Nov 10, 2022
b9959bc
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 10, 2022
eca3464
Fix compilation
petertrr Nov 10, 2022
45a0c3b
Fix compilation
petertrr Nov 10, 2022
4050086
Merge branch 'master' into feature/authenticated-microservices
petertrr Nov 10, 2022
3c1ff88
`@Component` -> `@Configuration`; remove duplicated imports
petertrr Nov 10, 2022
ec79fd3
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 10, 2022
fd0d57a
Increase logging level; minor refactoring
petertrr Nov 11, 2022
7a25619
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 11, 2022
fee4a56
Fix typo
petertrr Nov 11, 2022
0e2ee9b
Use `securityMatcher`s to glue together multiple security chains
petertrr Nov 11, 2022
c1a97c0
Import `WebClientCustomizers` in backend
petertrr Nov 11, 2022
a2da43b
Bind `orchestrator-sa` ServiceAccount to `microservice` ClusterRole
petertrr Nov 11, 2022
d7c18a8
Improved logging
petertrr Nov 11, 2022
105231c
Different path matcher for k8s-secured endpoints
petertrr Nov 11, 2022
7a390ea
Helm: mount SA token to orchestrator; add missing property in backend…
petertrr Nov 11, 2022
d5581c8
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 11, 2022
454d67b
Merge branch 'master' into feature/authenticated-microservices
petertrr Nov 17, 2022
878822d
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 23, 2022
4844e9b
Move k8s-security-related classes to authService module
petertrr Nov 23, 2022
ff458a2
Code style, minor fixes
petertrr Nov 23, 2022
b42254b
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 23, 2022
b5e581c
Code style
petertrr Nov 23, 2022
9566b3a
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Nov 23, 2022
6a3584c
Try to build w/o caches
petertrr Nov 24, 2022
e3b9d9c
One more experiment to fix Kapt error
petertrr Nov 24, 2022
2afa564
One more experiment to fix Kapt error
petertrr Nov 24, 2022
aa06a2c
One more experiment to fix Kapt error
petertrr Nov 24, 2022
4ae4edd
One more experiment to fix Kapt error
petertrr Nov 24, 2022
ac57556
Remove most of JPA related depdencies from auth service; revert chang…
petertrr Nov 24, 2022
9c3d918
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 8, 2022
804dffa
Follow-ups after merge
petertrr Dec 8, 2022
dce76ae
Update helm_push.yml
petertrr Dec 8, 2022
467483c
Update helm_push.yml
petertrr Dec 8, 2022
f1265ff
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 12, 2022
64bd7df
Fixme until #1247
petertrr Dec 12, 2022
bbd1b34
Eclude security autoconfuguration from preprocessor
petertrr Dec 12, 2022
64ac8f2
Merge remote-tracking branch 'origin/feature/authenticated-microservi…
petertrr Dec 12, 2022
2e24b08
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 13, 2022
bc4fb35
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 14, 2022
5813501
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 14, 2022
df910bb
Add more endpoints to exclusion list
petertrr Dec 15, 2022
11a89f5
Merge remote-tracking branch 'origin/master' into feature/authenticat…
petertrr Dec 15, 2022
d9f1f31
Merge branch 'master' into feature/authenticated-microservices
sanyavertolet Apr 5, 2023
ee6e5a1
[skip ci] updated branch
sanyavertolet Apr 5, 2023
5c3c681
[skip ci] added SA to demo and gateway
sanyavertolet Apr 5, 2023
925d062
[skip ci] wrapper tokenewviews
sanyavertolet Apr 5, 2023
fb80354
Merge branch 'master' into feature/authenticated-microservices
sanyavertolet Apr 6, 2023
76ce335
Merge branch 'master' into feature/authenticated-microservices
nulls Jul 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions gradle/libs.versions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ testcontainers = "1.17.4"
okhttp3 = "4.10.0"
reckon = "0.16.1"
commons-compress = "1.21"
commons-io = "2.11.0"
picocli = "4.6.3"
zip4j = "2.11.2"
ktoml = "0.2.13"
Expand Down Expand Up @@ -92,6 +93,7 @@ spring-security-test = { module = "org.springframework.security:spring-security-
spring-boot-gradle-plugin = { module = "org.springframework.boot:spring-boot-gradle-plugin", version.ref = "spring-boot" }
spring-cloud-starter-gateway = { module = "org.springframework.cloud:spring-cloud-starter-gateway", version.ref = "spring-cloud" }
spring-cloud-starter-kubernetes-client-config = { module = "org.springframework.cloud:spring-cloud-starter-kubernetes-client-config", version.ref = "spring-cloud-kubernetes" }
spring-cloud-starter-kubernetes-fabric8-config = { module = "org.springframework.cloud:spring-cloud-starter-kubernetes-fabric8-config", version.ref = "spring-cloud-kubernetes" }
spring-boot-starter-oauth2-client = { module = "org.springframework.boot:spring-boot-starter-oauth2-client" }
spring-context-indexer = { module = "org.springframework:spring-context-indexer", version.ref = "spring" }
spring-data-jpa = { module = "org.springframework.data:spring-data-jpa" }
Expand Down Expand Up @@ -154,6 +156,7 @@ diktat-gradle-plugin = { module = "org.cqfn.diktat:diktat-gradle-plugin", versio
detekt-gradle-plugin = { module = "io.gitlab.arturbosch.detekt:detekt-gradle-plugin", version.ref = "detekt" }
reckon-gradle-plugin = { module = "org.ajoberstar.reckon:reckon-gradle", version.ref = "reckon" }
commons-compress = { module = "org.apache.commons:commons-compress", version.ref = "commons-compress" }
commons-io = { module = "commons-io:commons-io", version.ref = "commons-io" }
picocli = { module = "info.picocli:picocli", version.ref = "picocli" }
zip4j = { module = "net.lingala.zip4j:zip4j", version.ref = "zip4j" }
kotlinx-cli = { module = "org.jetbrains.kotlinx:kotlinx-cli", version.ref = "kotlinx-cli" }
Expand Down
3 changes: 2 additions & 1 deletion save-backend/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,9 @@ dependencies {
implementation(libs.spring.boot.starter.security)
implementation(libs.spring.security.core)
implementation(libs.hibernate.micrometer)
implementation(libs.spring.cloud.starter.kubernetes.client.config)
implementation(libs.spring.cloud.starter.kubernetes.fabric8.config)
implementation(libs.reactor.extra)
implementation(libs.commons.io)
testImplementation(libs.spring.security.test)
testImplementation(projects.testUtils)
}
Expand Down
65 changes: 56 additions & 9 deletions save-backend/src/main/kotlin/com/saveourtool/save/backend/configs/WebSecurityConfig.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ package com.saveourtool.save.backend.configs

import com.saveourtool.save.backend.utils.ConvertingAuthenticationManager
import com.saveourtool.save.backend.utils.CustomAuthenticationBasicConverter
import com.saveourtool.save.backend.utils.ServiceAccountAuthenticatingManager
import com.saveourtool.save.backend.utils.ServiceAccountTokenExtractorConverter
import com.saveourtool.save.domain.Role
import com.saveourtool.save.v1
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Profile
import org.springframework.core.annotation.Order
import org.springframework.http.HttpStatus
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
import org.springframework.security.access.hierarchicalroles.RoleHierarchy
Expand All @@ -25,6 +28,9 @@ import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.security.web.server.SecurityWebFilterChain
import org.springframework.security.web.server.authentication.AuthenticationWebFilter
import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint
import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher
import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
import javax.annotation.PostConstruct

@EnableWebFluxSecurity
Expand All @@ -33,27 +39,35 @@ import javax.annotation.PostConstruct
@Suppress("MISSING_KDOC_TOP_LEVEL", "MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
class WebSecurityConfig(
private val authenticationManager: ConvertingAuthenticationManager,
private val serviceAccountAuthenticatingManager: ServiceAccountAuthenticatingManager,
private val serviceAccountTokenExtractorConverter: ServiceAccountTokenExtractorConverter,
) {
@Autowired
private lateinit var defaultMethodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler

@Bean
@Order(1)
fun securityWebFilterChain(
http: ServerHttpSecurity
): SecurityWebFilterChain = http.run {
// All `/internal/**` and `/actuator/**` requests should be sent only from internal network,
// they are not proxied from gateway.
authorizeExchange()
.pathMatchers("/", "/internal/**", "/actuator/**", *publicEndpoints.toTypedArray())
.permitAll()
// resources for frontend
.pathMatchers("/*.html", "/*.js*", "/*.css", "/img/**", "/*.ico", "/*.png", "/particles.json")
.permitAll()
securityMatcher(
AndServerWebExchangeMatcher(
ServerWebExchangeMatchers.anyExchange(),
NegatedServerWebExchangeMatcher(
ServerWebExchangeMatchers.pathMatchers("/actuator", "/actuator/**", "/internal/**")
)
)
)
}
.run {
authorizeExchange()
.pathMatchers(*publicEndpoints.toTypedArray())
.permitAll()
}
.and()
.run {
authorizeExchange()
.pathMatchers("/**")
.pathMatchers("/api/**")
.authenticated()
}
.and()
Expand Down Expand Up @@ -120,10 +134,43 @@ class WebSecurityConfig(
"/api/$v1/contests/*/*/best",
)
}

@Profile("kubernetes")
@Bean
@Order(2)
fun internalSecuredSecurityChain(
http: ServerHttpSecurity,
): SecurityWebFilterChain = http.run {
authorizeExchange().pathMatchers("/internal/**", "/actuator/**")
.authenticated()
.and()
.addFilterBefore(
AuthenticationWebFilter(serviceAccountAuthenticatingManager).apply {
setServerAuthenticationConverter(serviceAccountTokenExtractorConverter)
},
SecurityWebFiltersOrder.HTTP_BASIC
)
.build()
}
Comment thread Fixed
Comment thread Fixed

@Profile("!kubernetes")
@Bean
@Order(2)
fun internalInsecureSecurityChain(
http: ServerHttpSecurity
): SecurityWebFilterChain = http.run {
// All `/internal/**` and `/actuator/**` requests should be sent only from internal network,
// they are not proxied from gateway.
authorizeExchange().pathMatchers("/internal/**", "/actuator/**")
.permitAll()
.and()
.build()
}
Comment thread Fixed
Comment thread Fixed
}

@EnableWebFluxSecurity
@Profile("!secure")
@Order(1)
@Suppress("MISSING_KDOC_TOP_LEVEL", "MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
class NoopWebSecurityConfig {
@Bean
Expand Down
2 changes: 2 additions & 0 deletions ...end/src/main/kotlin/com/saveourtool/save/backend/utils/ConvertingAuthenticationManager.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package com.saveourtool.save.backend.utils
import com.saveourtool.save.backend.service.UserDetailsService
import com.saveourtool.save.utils.IdentitySourceAwareUserDetails
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.context.annotation.Primary
import org.springframework.security.authentication.BadCredentialsException
import org.springframework.security.authentication.ReactiveAuthenticationManager
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
Expand All @@ -17,6 +18,7 @@ import reactor.kotlin.core.publisher.switchIfEmpty
* where user identity is already guaranteed.
*/
@Component
@Primary
class ConvertingAuthenticationManager : ReactiveAuthenticationManager {
@Autowired
private lateinit var userDetailsService: UserDetailsService
Expand Down
4 changes: 2 additions & 2 deletions .../src/main/kotlin/com/saveourtool/save/backend/utils/CustomAuthenticationBasicConverter.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package com.saveourtool.save.backend.utils
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.core.Authentication
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
import org.springframework.security.web.server.authentication.ServerHttpBasicAuthenticationConverter
import org.springframework.stereotype.Component
import org.springframework.web.server.ServerWebExchange
import reactor.core.publisher.Mono
Expand All @@ -11,8 +12,7 @@ import reactor.core.publisher.Mono
* Implementation of [ServerAuthenticationConverter] that embeds user identity source into [UsernamePasswordAuthenticationToken]
*/
@Component
class CustomAuthenticationBasicConverter : org.springframework.security.web.server.authentication.ServerHttpBasicAuthenticationConverter(),
ServerAuthenticationConverter {
class CustomAuthenticationBasicConverter : ServerHttpBasicAuthenticationConverter(), ServerAuthenticationConverter {
/**
* Convert exchange, received from gateway into UsernamePasswordAuthenticationToken, specify source identity, laid
* by gateway into X-Authorization-Source header
Expand Down
67 changes: 67 additions & 0 deletions ...ckend/src/main/kotlin/com/saveourtool/save/backend/utils/KubernetesAuthenticationUtils.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package com.saveourtool.save.backend.utils

import com.saveourtool.save.utils.debug
import com.saveourtool.save.utils.getLogger
import io.fabric8.kubernetes.api.model.authentication.TokenReview
import io.fabric8.kubernetes.client.KubernetesClient
import io.fabric8.kubernetes.client.utils.Serialization
import org.intellij.lang.annotations.Language
import org.springframework.boot.autoconfigure.condition.ConditionalOnCloudPlatform
import org.springframework.boot.cloud.CloudPlatform
import org.springframework.security.authentication.ReactiveAuthenticationManager
import org.springframework.security.core.Authentication
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
import org.springframework.stereotype.Component
import org.springframework.web.server.ServerWebExchange
import reactor.core.publisher.Mono

@Component
@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
class ServiceAccountTokenExtractorConverter : ServerAuthenticationConverter {
override fun convert(exchange: ServerWebExchange): Mono<Authentication> {
return Mono.justOrEmpty(
exchange.request.headers["X-Service-Account-Token"]?.firstOrNull()
).map { token ->
PreAuthenticatedAuthenticationToken("TokenSupplier", token)
}
}
}

@Component
@ConditionalOnCloudPlatform(CloudPlatform.KUBERNETES)
class ServiceAccountAuthenticatingManager(
// val kubernetesClient: ApiClient,
val kubernetesClient: KubernetesClient,
) : ReactiveAuthenticationManager {
override fun authenticate(authentication: Authentication): Mono<Authentication> {
val token = (authentication as PreAuthenticatedAuthenticationToken).credentials
@Language("yaml")
val tokenReview = """
|apiVersion: authentication.k8s.io/v1
|kind: TokenReview
|metadata:
| name: service-account-validity-check
| namespace: ${kubernetesClient.namespace}
|spec:
| token: $token
""".trimMargin()
/* val tokenReview = V1TokenReview().apply {
spec = V1TokenReviewSpec().apply {
setToken(token)
}
}
AuthenticationV1Api(kubernetesClient).createTokenReview(tokenReview)*/
logger.debug {
"Will create k8s resource from the following YAML:\n${tokenReview.prependIndent(" ")}"
}
val response = kubernetesClient.resource(tokenReview).createOrReplace() as TokenReview
logger.debug {
"Got the following response from the API server:\n${Serialization.yamlMapper().writeValueAsString(response).prependIndent(" ")}"
}
authentication.isAuthenticated = response.status.error == null && response.status.authenticated
return Mono.just(authentication)
}

private val logger = getLogger<ServiceAccountAuthenticatingManager>()
Comment thread Fixed
Comment thread Fixed
}
3 changes: 2 additions & 1 deletion save-backend/src/main/resources/bootstrap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ spring:
kubernetes:
enabled: true
config:
enabled: false
enabled: true
paths: /home/cnb/config/application.properties
secrets:
enabled: true
paths: ${DATABASE_SECRETS_PATH}
Expand Down
14 changes: 14 additions & 0 deletions save-cloud-charts/save-cloud/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,4 +79,18 @@ configMap:
items:
- key: application.properties
path: application.properties
{{- end}}

{{- define "spring-boot.sa-token-mount" -}}
name: service-account-projected-token
mountPath: /var/run/secrets/tokens
{{- end }}

{{- define "spring-boot.sa-token-volume" -}}
name: service-account-projected-token
projected:
sources:
- serviceAccountToken:
path: service-account-projected-token
expirationSeconds: 7200
{{- end}}
2 changes: 2 additions & 0 deletions save-cloud-charts/save-cloud/templates/backend-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ data:
backend.orchestrator-url=http://orchestrator
server.shutdown=graceful
management.endpoints.web.exposure.include=*
spring.datasource.url=${spring.datasource.backend-url}
logging.level.org.springframework.cloud=DEBUG
3 changes: 3 additions & 0 deletions save-cloud-charts/save-cloud/templates/backend-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
annotations:
{{- include "pod.common.annotations" (dict "service" .Values.backend ) | nindent 8 }}
spec:
serviceAccountName: microservice-sa

@sanyavertolet sanyavertolet Apr 5, 2023

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can see, all the microservices that are able to send requests should have microservice-sa (e.g. demo-cpg does not send anything so service account for it is not required(?))

Moreover, it seems that orchestrator and demo role bindings should also reference microservice cluster role

@petertrr petertrr Apr 5, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea was, that communication between some microservices can still be secure without security, because we were planning to account only for not trusted executed tools and their network activity could be restricted with a NetworkPolicy on agent pods. This way using SA token for authentication is only required for microservices which receive requests from agents. But then, microservices that send requests to these services also need to authenticate, so it may be easier to unify everything.

@sanyavertolet sanyavertolet Apr 5, 2023

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can see, many things have been done: KubernetesAuthenticaitonUtils provide almost everything for X-Service-Account-Token check. So the question is: what hasn't been done yet? (regarding this PR) Seems that ktor needs to be able to add custom headers. And it seems that some Beans are required (e.g. KubernetesClient bean in KubernetesAuthenticationUtils). Am I right?

@petertrr petertrr Apr 5, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose it was already more or less working. This PR affects only services, not agents, and I'm not sure if we have ktor on server-side. But yes, the part that validates token against k8s api server requires KubernetesClient. The part that adds it as a custom header requires the token to be mounted (added to YAML spec as projected volume)

restartPolicy: Always
{{- include "cnb.securityContext" . | nindent 6 }}
containers:
Expand All @@ -35,6 +36,7 @@ spec:
mountPath: /home/cnb/files
- name: database-secret
mountPath: {{ .Values.mysql.dbPasswordFile }}
- {{ include "spring-boot.sa-token-mount" . | indent 14 | trim }}
{{- include "spring-boot.management" .Values.backend | nindent 10 }}
resources:
limits:
Expand Down Expand Up @@ -109,3 +111,4 @@ spec:
secretName: db-secrets
- name: migrations-data
emptyDir: {}
- {{ include "spring-boot.sa-token-volume" (dict "service" .Values.backend) | indent 10 | trim }}
2 changes: 2 additions & 0 deletions save-cloud-charts/save-cloud/templates/preprocessor-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ spec:
- {{ include "spring-boot.config-volume-mount" . | indent 14 | trim }}
- name: repos-storage
mountPath: /home/cnb
- {{ include "spring-boot.sa-token-mount" . | indent 14 | trim }}
{{- include "spring-boot.management" .Values.preprocessor | nindent 10 }}
resources:
limits:
Expand All @@ -44,3 +45,4 @@ spec:
# and each pod of preprocessor can `git clone` on its own.
hostPath:
path: /tmp/save/repos
- {{ include "spring-boot.sa-token-volume" (dict "service" .Values.backend) | indent 10 | trim }}
56 changes: 56 additions & 0 deletions save-cloud-charts/save-cloud/templates/service-accounts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: microservice-sa

---

# https://docs.spring.io/spring-cloud-kubernetes/docs/current/reference/html/#service-account
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: microservice
rules:
- apiGroups: [""] # "" indicates the core API group
resources: [configmaps, secrets]
verbs: [list, get, watch]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: microservice-role-binding
subjects:
- kind: ServiceAccount
name: microservice-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: microservice

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: microservice
rules:
- apiGroups: ["authentication.k8s.io"]
resources: [tokenreviews]
verbs: ["create"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: microservice-role-binding
subjects:
- kind: ServiceAccount
name: microservice-sa
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: microservice
Loading