feat(auth): allow optional basic authentication (#95)

* feat(values): add authentication value parameters * feat(auth): implement basic authentication * fix(values): handle nullable cases * docs(readme): update to mention unset auth case
cryostatio · Oct 25, 2023 · e6be8ea · e6be8ea
1 parent 9480bac
commit e6be8ea
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 2 deletions.
diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md
@@ -70,6 +70,14 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op
 | `datasource.resources`        | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)                                                                                                                                     | `{}`                              |
 | `datasource.securityContext`  | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}`                              |
 
+### Authentication
+
+| Name                                  | Description                                                                                                                                                                                                                                                           | Value   |
+| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `authentication.basicAuth.enabled`    | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication                                                                                                                                          | `false` |
+| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**                                                                                                                                                   | `""`    |
+| `authentication.basicAuth.filename`   | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""`    |
+
 ### Other Parameters
 
 | Name                         | Description                                                                                                                                                                                                                                                                                               | Value               |

diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml
@@ -52,8 +52,6 @@ spec:
             value: "{{ if .Values.core.ingress.enabled }}{{ with index .Values.core.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}"
           - name: CRYOSTAT_PLATFORM
             value: io.cryostat.platform.internal.KubeApiPlatformStrategy
-          - name: CRYOSTAT_AUTH_MANAGER
-            value: io.cryostat.net.NoopAuthManager
           {{- if not .Values.minimal }}
           - name: GRAFANA_DATASOURCE_URL
             value: http://127.0.0.1:8080
@@ -94,6 +92,12 @@ spec:
                 name: {{ default (printf "%s-jmx-credentials-db" .Release.Name) .Values.core.databaseSecretName }}
                 key: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD
                 optional: false
+          - name: CRYOSTAT_AUTH_MANAGER
+          {{- if (.Values.authentication).basicAuth.enabled }}
+            value: io.cryostat.net.BasicAuthManager
+          {{- else }}
+            value: io.cryostat.net.NoopAuthManager
+          {{- end }}
           ports:
             - containerPort: 8181
               protocol: TCP
@@ -128,6 +132,12 @@ spec:
           - mountPath: /opt/cryostat.d/probes.d
             name: {{ .Chart.Name }}
             subPath: probes
+          {{- if (.Values.authentication).basicAuth.enabled }}
+          - mountPath: /opt/cryostat.d/conf.d/cryostat-users.properties
+            name: basic-auth-properties
+            subPath: cryostat-users.properties
+            readOnly: true
+          {{- end }}
         {{- if not .Values.minimal }}
         - name: {{ printf "%s-%s" .Chart.Name "grafana" }}
           securityContext:
@@ -190,3 +200,11 @@ spec:
       - name: {{ .Chart.Name }}
         emptyDir: {}
       {{- end }}
+      {{- if (.Values.authentication).basicAuth.enabled }}
+      - name: basic-auth-properties
+        secret:
+          secretName: {{ .Values.authentication.basicAuth.secretName }}
+          items:
+            - key: {{ .Values.authentication.basicAuth.filename }}
+              path: cryostat-users.properties
+      {{- end }}
diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json
@@ -419,6 +419,31 @@
                 }
             }
         },
+        "authentication": {
+            "type": "object",
+            "properties": {
+                "basicAuth": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication",
+                            "default": false
+                        },
+                        "secretName": {
+                            "type": "string",
+                            "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**",
+                            "default": ""
+                        },
+                        "filename": {
+                            "type": "string",
+                            "description": "Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax \"user=passHex\", where \"user\" is the username and \"passHex\" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**",
+                            "default": ""
+                        }
+                    }
+                }
+            }
+        },
         "podSecurityContext": {
             "type": "object",
             "properties": {

diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml
@@ -145,6 +145,17 @@ datasource:
       drop:
       - ALL
 
+## @section Authentication
+
+authentication:
+  basicAuth:
+    ## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication
+    enabled: false
+    ## @param authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**
+    secretName: ""
+    ## @param authentication.basicAuth.filename Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**
+    filename: ""
+
 ## @section Other Parameters
 
 ## @param minimal Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source