From e6be8ea1f45d7635306a01c21fda029c39946fba Mon Sep 17 00:00:00 2001 From: Thuan Vo Date: Wed, 25 Oct 2023 15:52:50 -0700 Subject: [PATCH] feat(auth): allow optional basic authentication (#95) * feat(values): add authentication value parameters * feat(auth): implement basic authentication * fix(values): handle nullable cases * docs(readme): update to mention unset auth case --- charts/cryostat/README.md | 8 ++++++++ charts/cryostat/templates/deployment.yaml | 22 ++++++++++++++++++-- charts/cryostat/values.schema.json | 25 +++++++++++++++++++++++ charts/cryostat/values.yaml | 11 ++++++++++ 4 files changed, 64 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 8c805aaa..a1e9b254 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -70,6 +70,14 @@ A Helm chart for deploying [Cryostat](https://cryostat.io/) on Kubernetes and Op | `datasource.resources` | Resource requests/limits for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) | `{}` | | `datasource.securityContext` | Security Context for the JFR Data Source container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +### Authentication + +| Name | Description | Value | +| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `authentication.basicAuth.enabled` | Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | `false` | +| `authentication.basicAuth.secretName` | Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** | `""` | +| `authentication.basicAuth.filename` | Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** | `""` | + ### Other Parameters | Name | Description | Value | diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 40ec2640..22c041c2 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -52,8 +52,6 @@ spec: value: "{{ if .Values.core.ingress.enabled }}{{ with index .Values.core.ingress.hosts 0 }}{{ .host }}{{ end }}{{ end }}" - name: CRYOSTAT_PLATFORM value: io.cryostat.platform.internal.KubeApiPlatformStrategy - - name: CRYOSTAT_AUTH_MANAGER - value: io.cryostat.net.NoopAuthManager {{- if not .Values.minimal }} - name: GRAFANA_DATASOURCE_URL value: http://127.0.0.1:8080 @@ -94,6 +92,12 @@ spec: name: {{ default (printf "%s-jmx-credentials-db" .Release.Name) .Values.core.databaseSecretName }} key: CRYOSTAT_JMX_CREDENTIALS_DB_PASSWORD optional: false + - name: CRYOSTAT_AUTH_MANAGER + {{- if (.Values.authentication).basicAuth.enabled }} + value: io.cryostat.net.BasicAuthManager + {{- else }} + value: io.cryostat.net.NoopAuthManager + {{- end }} ports: - containerPort: 8181 protocol: TCP @@ -128,6 +132,12 @@ spec: - mountPath: /opt/cryostat.d/probes.d name: {{ .Chart.Name }} subPath: probes + {{- if (.Values.authentication).basicAuth.enabled }} + - mountPath: /opt/cryostat.d/conf.d/cryostat-users.properties + name: basic-auth-properties + subPath: cryostat-users.properties + readOnly: true + {{- end }} {{- if not .Values.minimal }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: @@ -190,3 +200,11 @@ spec: - name: {{ .Chart.Name }} emptyDir: {} {{- end }} + {{- if (.Values.authentication).basicAuth.enabled }} + - name: basic-auth-properties + secret: + secretName: {{ .Values.authentication.basicAuth.secretName }} + items: + - key: {{ .Values.authentication.basicAuth.filename }} + path: cryostat-users.properties + {{- end }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 427256aa..7dfa3baa 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -419,6 +419,31 @@ } } }, + "authentication": { + "type": "object", + "properties": { + "basicAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication", + "default": false + }, + "secretName": { + "type": "string", + "description": "Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)**", + "default": "" + }, + "filename": { + "type": "string", + "description": "Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax \"user=passHex\", where \"user\" is the username and \"passHex\" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)**", + "default": "" + } + } + } + } + }, "podSecurityContext": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b33b3f92..b8c15165 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -145,6 +145,17 @@ datasource: drop: - ALL +## @section Authentication + +authentication: + basicAuth: + ## @param authentication.basicAuth.enabled Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication + enabled: false + ## @param authentication.basicAuth.secretName Name of the Secret that contains the credentials within Cryostat's namespace **(Required if basicAuth is enabled)** + secretName: "" + ## @param authentication.basicAuth.filename Key within Secret containing the properties file. The properties file should contain one user per line, with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired password **(Required if basicAuth is enabled)** + filename: "" + ## @section Other Parameters ## @param minimal Specify whether to deploy a Cryostat instance with no Grafana Dashboard or JFR Data Source