Gh19707 secure workspace (#1001)

Signed-off-by: Michal Vala <mvala@redhat.com>
2021-08-19 15:28:55 +02:00 · 2021-08-19 15:28:55 +02:00 · 491f711eca
parent fb29886b91
commit 491f711eca
4 changed files with 111 additions and 5 deletions
--- a/controllers/devworkspace/solver/che_routing.go
+++ b/controllers/devworkspace/solver/che_routing.go
@ -370,7 +370,7 @@ func addToTraefikConfig(namespace string, workspaceID string, machineName string
 			rtrs[name] = traefikConfigRouter{
 				Rule:        fmt.Sprintf("PathPrefix(`%s`)", prefix),
 				Service:     name,
-				Middlewares: []string{name},
+				Middlewares: []string{name + "-header", name + "-prefix", name + "-auth"},
 				Priority:    100,
 			}

@ -384,11 +384,27 @@ func addToTraefikConfig(namespace string, workspaceID string, machineName string
 				},
 			}

-			mdls[name] = traefikConfigMiddleware{
-				StripPrefix: traefikConfigStripPrefix{
+			mdls[name+"-prefix"] = traefikConfigMiddleware{
+				StripPrefix: &traefikConfigStripPrefix{
 					Prefixes: []string{prefix},
 				},
 			}
+
+			mdls[name+"-auth"] = traefikConfigMiddleware{
+				ForwardAuth: &traefikConfigForwardAuth{
+					Address: "http://127.0.0.1:8089?namespace=" + namespace,
+				},
+			}
+
+			mdls[name+"-header"] = traefikConfigMiddleware{
+				Plugin: &traefikPlugin{
+					HeaderRewrite: &traefikPluginHeaderRewrite{
+						From:   "X-Forwarded-Access-Token",
+						To:     "Authorization",
+						Prefix: "Bearer ",
+					},
+				},
+			}
 		}
 	}
 }
--- a/controllers/devworkspace/solver/che_routing_test.go
+++ b/controllers/devworkspace/solver/che_routing_test.go
@ -260,9 +260,35 @@ func TestCreateRelocatedObjects(t *testing.T) {
 			t.Fatalf("Expected exactly one traefik router but got %d", len(workspaceConfig.HTTP.Routers))
 		}

-		if _, ok := workspaceConfig.HTTP.Routers["wsid-m1-9999"]; !ok {
+		wsid := "wsid-m1-9999"
+		if _, ok := workspaceConfig.HTTP.Routers[wsid]; !ok {
 			t.Fatal("traefik config doesn't contain expected workspace configuration")
 		}
+
+		if len(workspaceConfig.HTTP.Routers[wsid].Middlewares) != 3 {
+			t.Fatalf("Expected 3 middlewares in router but got '%d'", len(workspaceConfig.HTTP.Routers[wsid].Middlewares))
+		}
+
+		if len(workspaceConfig.HTTP.Middlewares) != 3 {
+			t.Fatalf("Expected 3 middlewares set but got '%d'", len(workspaceConfig.HTTP.Middlewares))
+		}
+
+		mwares := []string{wsid + "-auth", wsid + "-prefix", wsid + "-header"}
+		for _, mware := range mwares {
+			if _, ok := workspaceConfig.HTTP.Middlewares[mware]; !ok {
+				t.Fatalf("traefik config doesn't set middleware '%s'", mware)
+			}
+			found := false
+			for _, r := range workspaceConfig.HTTP.Routers[wsid].Middlewares {
+				if r == mware {
+					found = true
+				}
+			}
+			if !found {
+				t.Fatalf("traefik config route doesn't set middleware '%s'", mware)
+			}
+		}
+
 	})
 }

--- a/controllers/devworkspace/solver/traefik_config.go
+++ b/controllers/devworkspace/solver/traefik_config.go
@ -23,7 +23,9 @@ type traefikConfigService struct {
 }

 type traefikConfigMiddleware struct {
-	StripPrefix traefikConfigStripPrefix `json:"stripPrefix"`
+	StripPrefix *traefikConfigStripPrefix `json:"stripPrefix,omitempty"`
+	ForwardAuth *traefikConfigForwardAuth `json:"forwardAuth,omitempty"`
+	Plugin      *traefikPlugin            `json:"plugin,omitempty"`
 }

 type traefikConfigLoadbalancer struct {
@ -37,3 +39,17 @@ type traefikConfigLoadbalancerServer struct {
 type traefikConfigStripPrefix struct {
 	Prefixes []string `json:"prefixes"`
 }
+
+type traefikConfigForwardAuth struct {
+	Address string `json:"address"`
+}
+
+type traefikPlugin struct {
+	HeaderRewrite *traefikPluginHeaderRewrite `json:"header-rewrite,omitempty"`
+}
+
+type traefikPluginHeaderRewrite struct {
+	From   string `json:"from"`
+	To     string `json:"to"`
+	Prefix string `json:"prefix"`
+}
--- a/pkg/deploy/gateway/gateway.go
+++ b/pkg/deploy/gateway/gateway.go
@ -101,6 +101,11 @@ func syncAll(deployContext *deploy.DeployContext) error {
 		} else {
 			return err
 		}
+
+		kubeRbacProxyConfig := getGatewayKubeRbacProxyConfigSpec(instance)
+		if _, err := deploy.Sync(deployContext, &kubeRbacProxyConfig, configMapDiffOpts); err != nil {
+			return err
+		}
 	}

 	traefikConfig := getGatewayTraefikConfigSpec(instance)
@ -424,6 +429,31 @@ skip_provider_button = true`, instance.Spec.Server.CheHost, instance.Spec.Auth.O
 	}
 }

+func getGatewayKubeRbacProxyConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap {
+	return corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: corev1.SchemeGroupVersion.String(),
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "che-gateway-config-kube-rbac-proxy",
+			Namespace: instance.Namespace,
+			Labels:    deploy.GetLabels(instance, GatewayServiceName),
+		},
+		Data: map[string]string{
+			"authorization-config.yaml": `
+authorization:
+  rewrites:
+    byQueryParameter:
+      name: "namespace"
+  resourceAttributes:
+    apiVersion: v1
+    resource: services
+    namespace: "{{ .Value }}"`,
+		},
+	}
+}
+
 func generateRandomCookieSecret() []byte {
 	return []byte(base64.StdEncoding.EncodeToString([]byte(util.GeneratePasswd(16))))
 }
@ -620,6 +650,13 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 					"--insecure-listen-address=127.0.0.1:8089",
 					"--upstream=http://127.0.0.1:8090/ping",
 					"--logtostderr=true",
+					"--config-file=/etc/kube-rbac-proxy/authorization-config.yaml",
+				},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      "kube-rbac-proxy-config",
+						MountPath: "/etc/kube-rbac-proxy",
+					},
 				},
 			})
 	}
@ -690,6 +727,17 @@ func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume {
 				},
 			},
 		})
+
+		volumes = append(volumes, corev1.Volume{
+			Name: "kube-rbac-proxy-config",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "che-gateway-config-kube-rbac-proxy",
+					},
+				},
+			},
+		})
 	}

 	return volumes