[Story] Use Password Authentication for Kubernetes

[ebaron]

Currently, Cryostat only authenticates users by default when run in OpenShift. We should configure password authentication when running on Kubernetes, perhaps generating credentials prior to deployment.

[ebaron]

For now, I think it's enough to allow users to provide a secret through the Cryostat CRD containing the credentials in the format expected by Cryostat's BasicAuthManager.

From the Cryostat README:

The BasicAuthManager uses basic credential authentication configured with a standard Java properties file at $CRYOSTAT_CONFIG_PATH/cryostat-users.properties. The credentials stored in the Java properties file are the user name and a SHA-256 sum hex of the user's password. The property file contents should look like:

user1=abc123
user2=def987

Where abc123 and def987 are substituted for the SHA-256 sum hexes of the desired user passwords. These can be obtained by ex. echo -n PASS | sha256sum | cut -d' ' -f1.

If the user provides this secret, the operator should mount the properties file within the secret at the $CRYOSTAT_CONFIG_PATH/cryostat-users.properties within the Cryostat container. It should then set the CRYOSTAT_AUTH_MANAGER environment variable to io.cryostat.net.BasicAuthManager.

If the user doesn't provide the secret, then we fall back to the existing behaviour. On OpenShift, the OpenShiftAuthManager is used. On Kubernetes, the NoopAuthManager is used.

[ebaron]

Hey @jaadbarg! This is the issue I had in mind.

[ebaron]

Here's how the API could look:

// CryostatSpec defines the desired state of Cryostat.
type CryostatSpec struct {
	// ...

	// Options to configure how Cryostat authenticates users.
	// +optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authentication Options"
	AuthenticationOptions *AuthenticationOptions `json:"authentication,omitempty"`
}

type AuthenticationOptions struct {
	// By providing a secret containing a credentials property file, Cryostat will use basic
	// authentication instead of the platform defaults. When unset on OpenShift, Cryostat will integrate
	// with OpenShift's OAuth Server (Recommended). When unset on Kubernetes, Cryostat will not
	// perform any form of authentication.
	// +optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Basic Authentication"
	BasicAuthentication *BasicAuthenticationSecret `json:"basicAuth,omitempty"`
}

// BasicAuthenticationSecret refers to a Secret containing credentials
// that Cryostat can use for basic authentication.
type BasicAuthenticationSecret struct {
	// Name of the Secret within Cryostat's namespace.
	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
	SecretName string `json:"secretName"`
	// Key within secret containing the properties file. The properties file should contain one user per line,
	// with the syntax "user=passHex", where "user" is the username and "passHex" is the SHA-256 hash of the desired
	// password. The SHA-256 hash can be computed by tools such as "sha256sum".
	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
	Filename string `json:"filename"`
}

[jaadbarg]

Hi @ebaron I can take this one👍👍

[andrewazores]

Looks like this was already completed. In 3.0 it will be implemented slightly differently via oauth2_proxy/openshift-oauth-proxy, but the CR API will be the same or very similar for the user perspective.

[ebaron]

I think this is still outstanding, it was done in the Helm Chart but not in the operator.