From 54fac3e85165fb31c3960ccb01a71cb1a505373e Mon Sep 17 00:00:00 2001 From: dgloe-hpe <88155587+dgloe-hpe@users.noreply.github.com> Date: Wed, 3 Jan 2024 10:18:09 -0600 Subject: [PATCH 1/6] ALT-828 Allow DRC2 calls with SPIRE (#99) The DRC2 feature uses a new "ogopogod" API with SPIRE. Add this to the OPA policy to enable this feature. --- kubernetes/cray-opa/Chart.yaml | 2 +- kubernetes/cray-opa/templates/policies/spire.yaml | 5 +++++ kubernetes/cray-opa/tests/opa/spire_test.rego.tpl | 7 +++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index 1e5a3ad..cfd67dd 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.33.0 +version: 1.33.1 description: Cray Open Policy Agent keywords: - opa diff --git a/kubernetes/cray-opa/templates/policies/spire.yaml b/kubernetes/cray-opa/templates/policies/spire.yaml index 7a49037..149aa26 100644 --- a/kubernetes/cray-opa/templates/policies/spire.yaml +++ b/kubernetes/cray-opa/templates/policies/spire.yaml @@ -117,6 +117,11 @@ data: {"method": "HEAD", "path": `^/apis/jackaloped/.*$`}, {"method": "POST", "path": `^/apis/jackaloped/.*$`}, {"method": "DELETE", "path": `^/apis/jackaloped/.*$`}, + # ogopogod - DRC2 + {"method": "GET", "path": `^/apis/ogopogod/.*$`}, + {"method": "HEAD", "path": `^/apis/ogopogod/.*$`}, + {"method": "POST", "path": `^/apis/ogopogod/.*$`}, + {"method": "DELETE", "path": `^/apis/ogopogod/.*$`}, ], "heartbeat": [ {{- if and (eq $.Values.opa.xnamePolicy.heartbeat true) (eq $.Values.opa.xnamePolicy.enabled true) }} diff --git a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl index bbe0443..f83a65e 100644 --- a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl @@ -310,6 +310,13 @@ test_wlm { not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/jackaloped/fabric/nics", "headers": {"authorization": spire_sub}}}}} # jackaloped - not allowed allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/jackaloped/fabric/nics", "headers": {"authorization": spire_sub}}}}} + # ogopogod - allowed + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}} + # ogopogod - not allowed + allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}} } test_tpm_provisioner_cray_spire { From 12195f4f3b6d748157585533e2530fddebfcd664 Mon Sep 17 00:00:00 2001 From: Bo Quan <36549272+bo-quan@users.noreply.github.com> Date: Thu, 4 Jan 2024 12:38:42 -0500 Subject: [PATCH 2/6] CASMPET-6883: remove CPU limit (#102) --- kubernetes/cray-opa/Chart.yaml | 2 +- kubernetes/cray-opa/values.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index cfd67dd..8cffb00 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.33.1 +version: 1.33.2 description: Cray Open Policy Agent keywords: - opa diff --git a/kubernetes/cray-opa/values.yaml b/kubernetes/cray-opa/values.yaml index 540fda9..bb1b7b7 100644 --- a/kubernetes/cray-opa/values.yaml +++ b/kubernetes/cray-opa/values.yaml @@ -108,7 +108,6 @@ opa: cpu: "250m" limits: memory: "10Gi" - cpu: "4" # Timeout defaults to 200ms if not specified. Setting it to 20s, an # arbitrary long timeout, provides sufficient overhead to resolve # CASMPET-1804/2570 "deadline exceeded" gRPC errors for the ext_authz filter. From 99e098f12d1ef6119b2ff89e0530ef9838e82c6f Mon Sep 17 00:00:00 2001 From: David Ibarra <77758167+DavidIbarr@users.noreply.github.com> Date: Thu, 11 Jan 2024 14:41:35 -0600 Subject: [PATCH 3/6] DVS-2961: Allow SLS calls to generate DVS node map (#104) -Added policies for SLS under DVS to allow the dvs_generate_map script to use the data from SLS to generate the node map. -Updated the tests for SLS to ensure access is available to the path /apis/sls/v1/networks. Cleaned up comments for current spire tests under APIs used by DVS, matching current keycloak tests. -Tested the change by editing the opa-policy-ingressgateway-spire config map and restarting pods. Verified that the SLS data is sent via the API when using a new valid token. Co-authored-by: David Ibarra --- kubernetes/cray-opa/Chart.yaml | 2 +- .../cray-opa/templates/policies/spire.yaml | 10 +++++--- .../cray-opa/tests/opa/spire_test.rego.tpl | 25 +++++++++++++++---- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index 8cffb00..1b7a295 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.33.2 +version: 1.33.3 description: Cray Open Policy Agent keywords: - opa diff --git a/kubernetes/cray-opa/templates/policies/spire.yaml b/kubernetes/cray-opa/templates/policies/spire.yaml index 149aa26..bcf1b4e 100644 --- a/kubernetes/cray-opa/templates/policies/spire.yaml +++ b/kubernetes/cray-opa/templates/policies/spire.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright 2021-2023 Hewlett Packard Enterprise Development LP +Copyright 2021-2024 Hewlett Packard Enterprise Development LP */ -}} {{- range $name, $options := .Values.ingresses }} {{- if $options.policies.spire }} @@ -80,11 +80,15 @@ data: # These pass xnames via POST. This will be removed once the v2 API is being used. {"method": "POST", "path": `^/apis/hmnfd/hmi/v1/subscribe$`}, - #SMD -> GET everything, DVS needs SoftwareStatus. REVOKED permission to update BulkSoftwareStatus + # SMD -> GET everything, DVS needs SoftwareStatus. REVOKED permission to update BulkSoftwareStatus {"method": "GET", "path": `^/apis/smd/hsm/v2/.*$`}, {"method": "HEAD", "path": `^/apis/smd/hsm/v2/.*$`}, - #HMNFD -> subscribe only, cannot create state change notifications + # SLS -> GET - node map IP addresses + {"method": "GET", "path": `^/apis/sls/v1/.*$`}, + {"method": "HEAD", "path": `^/apis/sls/v1/.*$`}, + + # HMNFD -> subscribe only, cannot create state change notifications {"method": "GET", "path": `^/apis/hmnfd/hmi/v1/subscriptions$`}, {"method": "HEAD", "path": `^/apis/hmnfd/hmi/v1/subscriptions$`}, {"method": "PATCH", "path": `^/apis/hmnfd/hmi/v1/subscribe$`}, diff --git a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl index f83a65e..94c9080 100644 --- a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl @@ -1,4 +1,4 @@ -# Copyright 2021-2023 Hewlett Packard Enterprise Development LP +# Copyright 2021-2024 Hewlett Packard Enterprise Development LP package istio.authz ## HOW TO DO UNIT TESTING @@ -13,9 +13,11 @@ cos_config_mock_path = "/apis/v2/cos/mock" hbtb_heartbeat_path = "/apis/hbtd/hmi/v1/heartbeat" nmd_mock_path = "/apis/v2/nmd/status" smd_statecomponents_path = "/apis/smd/hsm/v2/State/Components" +smd_ethernetinterfaces_path = "/apis/smd/hsm/v2/Inventory/EthernetInterfaces" smd_softwarestatus_compute_path = "/apis/smd/hsm/v2/State/Components/x1/SoftwareStatus" smd_softwarestatus_ncn_path = "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus" smd_softwarestatus_invalid_path = "/apis/smd/hsm/v2/State/Components/invalid/SoftwareStatus" +sls_networks_path = "/apis/sls/v1/networks" hmnfd_subscribe_path = "/apis/hmnfd/hmi/v1/subscribe" hmnfd_subscriptions_path = "/apis/hmnfd/hmi/v1/subscriptions" pals_mock_path = "/apis/pals/v1/mock" @@ -46,11 +48,22 @@ spire_correct_ncn_sub(sub) { allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": nmd_mock_path, "headers": {"authorization": sub}}}}} + # SMD - Allowed not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_ethernetinterfaces_path, "headers": {"authorization": sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_ethernetinterfaces_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": smd_softwarestatus_ncn_path, "headers": {"authorization": sub}}}}} + # Validate that DVS can access SoftwareStatus + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus", "headers": {"authorization": sub}}}}} + + # SLS - Allowed + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sls_networks_path, "headers": {"authorization": sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": sls_networks_path, "headers": {"authorization": sub}}}}} + + # HMNFD - Allowed not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscribe_path, "headers": {"authorization": sub}}}}} @@ -69,10 +82,6 @@ spire_correct_ncn_sub(sub) { # Validate that only CFS can access allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": cfs_ncn_mock_path, "headers": {"authorization": sub}}}}} - - # Validate that DVS can access SoftwareStatus - # not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus", "headers": {"authorization": sub}}}}} - } spire_correct_compute_sub(sub) { @@ -87,11 +96,17 @@ spire_correct_compute_sub(sub) { allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": nmd_mock_path, "headers": {"authorization": sub}}}}} allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "POST", "path": nmd_mock_path, "headers": {"authorization": sub}}}}} + # SMD - Allowed not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": smd_softwarestatus_compute_path, "headers": {"authorization": sub}}}}} + # SLS - Allowed + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sls_networks_path, "headers": {"authorization": sub}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": sls_networks_path, "headers": {"authorization": sub}}}}} + + # HMNFD - Allowed not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscribe_path, "headers": {"authorization": sub}}}}} From a67e98095a5a1b2f5733e926f19cf0d3d87ca10c Mon Sep 17 00:00:00 2001 From: ravikanth-nalla-hpe <140072234+ravikanth-nalla-hpe@users.noreply.github.com> Date: Fri, 22 Mar 2024 02:00:51 +0530 Subject: [PATCH 4/6] CASMPET-6798: Update Spire OPA Policy for SBPS Marshal Agent (#105) - enable/ update OPA policy for SBPS Marshal Agent - update unit test in OPA for SBPS Marshal Agent --- kubernetes/cray-opa/Chart.yaml | 4 ++-- kubernetes/cray-opa/templates/policies/spire.yaml | 5 +++++ kubernetes/cray-opa/tests/opa/run_tests/run_tests.go | 11 +++++++++++ kubernetes/cray-opa/tests/opa/spire_test.rego.tpl | 5 +++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index 1b7a295..f0eaba9 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -1,7 +1,7 @@ # # MIT License # -# (C) Copyright 2022-2023 Hewlett Packard Enterprise Development LP +# (C) Copyright 2022-2024 Hewlett Packard Enterprise Development LP # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.33.3 +version: 1.33.4 description: Cray Open Policy Agent keywords: - opa diff --git a/kubernetes/cray-opa/templates/policies/spire.yaml b/kubernetes/cray-opa/templates/policies/spire.yaml index bcf1b4e..e8933c5 100644 --- a/kubernetes/cray-opa/templates/policies/spire.yaml +++ b/kubernetes/cray-opa/templates/policies/spire.yaml @@ -135,6 +135,9 @@ data: {"method": "POST", "path": `^/apis/hbtd/hmi/v1/heartbeat/.*$`}, {{- end }} {"method": "GET", "path": `^/apis/hbtd/hmi/v1/params$`}, + ], + "sbps-marshal": [ + {"method": "GET", "path": `^/apis/ims/v3/images$`}, ] } @@ -203,6 +206,7 @@ data: "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/heartbeat": spire_methods["heartbeat"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/orca": spire_methods["dvs"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"], + "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/sbps-marshal": spire_methods["sbps-marshal"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/cfs-state-reporter": spire_methods["cfs"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/heartbeat": spire_methods["heartbeat"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"], @@ -272,6 +276,7 @@ data: "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/heartbeat": spire_methods["heartbeat"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/orca": spire_methods["dvs"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/tpm-provisioner": spire_methods["tpm-provisioner"], + "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/sbps-marshal": spire_methods["sbps-marshal"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/cfs-state-reporter": spire_methods["cfs"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/heartbeat": spire_methods["heartbeat"], "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/tpm-provisioner": spire_methods["tpm-provisioner"], diff --git a/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go b/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go index 17b6f3c..41807aa 100644 --- a/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go +++ b/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go @@ -351,6 +351,16 @@ func main() { } fmt.Println(spireSub, ":", spireNcnTPMProvisioner) + spireSub = spireSubNCNPrefix + "sbps-marshal" + args = createTokenArgs{ + issuer: spireIssuer, aud: systemComputeAud, sub: spireSub, + } + spireNcnSBPSMarshal, err := tc.create(args) + if err != nil { + log.Fatal(err) + } + fmt.Println(spireSub, ":", spireNcnSBPSMarshal) + spireSub = spireSubComputePrefix + "cfs-state-reporter" args = createTokenArgs{ issuer: spireIssuer, aud: systemComputeAud, sub: spireSub, @@ -625,6 +635,7 @@ func main() { "heartbeat": spireNcnHeartbeat, "orca": spireNcnOrca, "tpm_provisioner": spireNcnTPMProvisioner, + "sbps_marshal": spireNcnSBPSMarshal, }, "compute": map[string]interface{}{ "cfs_state_reporter": spireComputeCfsStateReporter, diff --git a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl index 94c9080..47857ea 100644 --- a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl @@ -21,6 +21,7 @@ sls_networks_path = "/apis/sls/v1/networks" hmnfd_subscribe_path = "/apis/hmnfd/hmi/v1/subscribe" hmnfd_subscriptions_path = "/apis/hmnfd/hmi/v1/subscriptions" pals_mock_path = "/apis/pals/v1/mock" +sbps_marshal_ims_path = "/apis/ims/v3/images" # Tests for denying access to pals mock path for ckdump sub @@ -347,3 +348,7 @@ test_tpm_provisioner_cray_spire { allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/tpm-provisioner/whitelist/remove", "headers": {"authorization": "Bearer {{ .spire.compute.cray_tpm_provisioner }}" }}}}} } + +test_spire_sbps_marshal { + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sbps_marshal_ims_path, "headers": {"authorization": "Bearer {{ .spire.ncn.sbps_marshal }}"}}}}} +} From aa80eea5da59677ed298b38cdc1d8429fd330af4 Mon Sep 17 00:00:00 2001 From: Bo Quan <36549272+bo-quan@users.noreply.github.com> Date: Fri, 5 Apr 2024 15:41:52 -0400 Subject: [PATCH 5/6] CASMPET-6915: use newer plugin image and change it to daemonset (#106) --- kubernetes/cray-opa/Chart.yaml | 6 +-- .../{deployment.yaml => daemonset.yaml} | 39 +++---------------- kubernetes/cray-opa/templates/service.yaml | 3 +- kubernetes/cray-opa/tests/opa/Dockerfile | 4 +- kubernetes/cray-opa/values.yaml | 16 +++----- 5 files changed, 17 insertions(+), 51 deletions(-) rename kubernetes/cray-opa/templates/{deployment.yaml => daemonset.yaml} (82%) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index f0eaba9..1448ecb 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.33.4 +version: 1.34.1 description: Cray Open Policy Agent keywords: - opa @@ -33,9 +33,9 @@ sources: maintainers: - name: bo-quan - name: ndavidson-hpe -appVersion: 0.52.0 +appVersion: 0.62.0 annotations: artifacthub.io/images: |- - name: cray-opa - image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless + image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless artifacthub.io/license: MIT diff --git a/kubernetes/cray-opa/templates/deployment.yaml b/kubernetes/cray-opa/templates/daemonset.yaml similarity index 82% rename from kubernetes/cray-opa/templates/deployment.yaml rename to kubernetes/cray-opa/templates/daemonset.yaml index 6ecf16d..7268dba 100644 --- a/kubernetes/cray-opa/templates/deployment.yaml +++ b/kubernetes/cray-opa/templates/daemonset.yaml @@ -1,7 +1,7 @@ {{/* MIT License -(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP +(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), @@ -22,29 +22,28 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */}} {{- range $name, $options:= .Values.ingresses }} -{{ $uuid := uuidv4 }} --- apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: name: cray-opa-{{ $name }} namespace: {{ $.Release.Namespace }} spec: - replicas: {{ $.Values.opa.replicas }} - strategy: + updateStrategy: {{- $.Values.opa.strategy | toYaml | nindent 4}} selector: matchLabels: + daemonset: cray-opa-{{ $name }} app.kubernetes.io/name: cray-opa-{{ $name }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} template: metadata: labels: + daemonset: cray-opa-{{ $name }} app.kubernetes.io/name: cray-opa-{{ $name }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} - deployment/uuid: {{ $uuid }} spec: containers: - image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }} @@ -151,34 +150,6 @@ spec: - configMap: name: cray-configmap-ca-public-key name: fetch-jwt-certs-ca-vol - affinity: - {{- if eq $.Values.affinity.default "preferred" }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - cray-opa-{{ $name }} - topologyKey: kubernetes.io/hostname - {{- end }} - {{- if eq $.Values.affinity.default "required" }} - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: deployment/uuid - operator: In - values: - - {{ $uuid }} - topologyKey: kubernetes.io/hostname - {{- end }} - {{ if $options.affinity }} -{{ toYaml $options.affinity | indent 8 }} - {{- end }} nodeSelector: {{ toYaml $.Values.nodeSelector | indent 8 }} tolerations: diff --git a/kubernetes/cray-opa/templates/service.yaml b/kubernetes/cray-opa/templates/service.yaml index 738c93a..10e7348 100644 --- a/kubernetes/cray-opa/templates/service.yaml +++ b/kubernetes/cray-opa/templates/service.yaml @@ -1,7 +1,7 @@ {{/* MIT License -(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP +(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), @@ -33,6 +33,7 @@ metadata: app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} spec: + internalTrafficPolicy: {{ $.Values.opa.internalTrafficPolicy }} ports: - name: http port: {{ $.Values.opa.port }} diff --git a/kubernetes/cray-opa/tests/opa/Dockerfile b/kubernetes/cray-opa/tests/opa/Dockerfile index 19598b5..68598cf 100644 --- a/kubernetes/cray-opa/tests/opa/Dockerfile +++ b/kubernetes/cray-opa/tests/opa/Dockerfile @@ -1,7 +1,7 @@ # # MIT License # -# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP +# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), @@ -37,7 +37,7 @@ RUN cd src/run_tests && go mod download RUN cd src/run_tests && go build . RUN ls src/run_tests -FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless +FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless WORKDIR /tmp COPY --from=builder --chown=1000:1000 /go/src/run_tests/run_tests . COPY --chown=1000:1000 tests/opa/certificate_authority.crt /jwtValidationFetchTls/certificate_authority.crt diff --git a/kubernetes/cray-opa/values.yaml b/kubernetes/cray-opa/values.yaml index bb1b7b7..ba13b84 100644 --- a/kubernetes/cray-opa/values.yaml +++ b/kubernetes/cray-opa/values.yaml @@ -1,7 +1,7 @@ # # MIT License # -# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP +# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), @@ -24,7 +24,7 @@ --- image: repository: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa - tag: 0.52.0-envoy-rootless # When changing this, also update tests/opa//Dockerfile. + tag: 0.62.0-envoy-rootless # When changing this, also update tests/opa/Dockerfile and precache image. pullPolicy: IfNotPresent priorityClassName: csm-high-priority-service @@ -89,7 +89,7 @@ ingresses: issuers: [] opa: - replicas: 3 + internalTrafficPolicy: Local port: 9191 containerPort: 9191 loglevel: info @@ -99,15 +99,14 @@ opa: secret: "" strategy: rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% + maxUnavailable: 1 type: RollingUpdate resources: requests: memory: "128Mi" cpu: "250m" limits: - memory: "10Gi" + memory: "800Mi" # Timeout defaults to 200ms if not specified. Setting it to 20s, an # arbitrary long timeout, provides sufficient overhead to resolve # CASMPET-1804/2570 "deadline exceeded" gRPC errors for the ext_authz filter. @@ -126,11 +125,6 @@ opa: heartbeat: false tpmProvisioner: false -affinity: - # set default to 'preferred' for default preferred anti affinity rule - # set default to 'required' for default required anti affinity rule - default: required - jwtValidation: keycloak: jwksUri: "https://istio-ingressgateway.istio-system.svc.cluster.local./keycloak/realms/shasta/protocol/openid-connect/certs" From e5a6021b0ac2096a9ed9595b3e35915d071e8640 Mon Sep 17 00:00:00 2001 From: "Mitch Harding (the weird one)" Date: Wed, 24 Apr 2024 15:44:20 -0400 Subject: [PATCH 6/6] CASMCMS-8971: Multi-Tenancy OPA policy: Allow tenant admins to list their BOSv2 sessions --- kubernetes/cray-opa/Chart.yaml | 2 +- kubernetes/cray-opa/templates/policies/keycloak-admin.yaml | 3 ++- kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml index 1448ecb..fbd38bb 100644 --- a/kubernetes/cray-opa/Chart.yaml +++ b/kubernetes/cray-opa/Chart.yaml @@ -23,7 +23,7 @@ # apiVersion: v2 name: cray-opa -version: 1.34.1 +version: 1.34.2 description: Cray Open Policy Agent keywords: - opa diff --git a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml index e775814..d7c4752 100644 --- a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml +++ b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright 2021-2023 Hewlett Packard Enterprise Development LP +Copyright 2021-2024 Hewlett Packard Enterprise Development LP */ -}} {{- range $name, $options := .Values.ingresses }} {{- if $options.policies.keycloak.admin }} @@ -167,6 +167,7 @@ data: {"method": "GET", "path": `^/apis/bos/v2/components$`}, # GET allows a listing of all active components states {"method": "GET", "path": `^/apis/bos/v2/components/.*$`}, # GET information on an individual component {"method": "GET", "path": `^/apis/bos/v2/healthz$`}, # Allow tenant admins to know the overall health of the deployment + {"method": "GET", "path": `^/apis/bos/v2/sessions$`}, # GET BOSv2 Sessions (list all) {"method": "POST", "path": `^/apis/bos/v2/sessions$`}, # POST Creates a new BOSv2 Session {"method": "GET", "path": `^/apis/bos/v2/sessions/.*$`}, # GET allows monitoring status of individual sessions {"method": "GET", "path": `^/apis/bos/v2/sessions/.*?/status$`}, # Obtain more detailed status information for an individual session diff --git a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl index b0d33e5..60aa5d7 100644 --- a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl @@ -1,4 +1,4 @@ -# Copyright 2021-2023 Hewlett Packard Enterprise Development LP +# Copyright 2021-2024 Hewlett Packard Enterprise Development LP package istio.authz ## HOW TO DO UNIT TESTING @@ -188,6 +188,7 @@ test_tenant_admin { not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/healthz", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}} not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo/status", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}