Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test(sampleapp): configure Cryostat Agent sample app to use k8s serviceaccount token auth #983

Merged
merged 3 commits into from
Dec 20, 2024
Merged

test(sampleapp): configure Cryostat Agent sample app to use k8s serviceaccount token auth #983

merged 3 commits into from
Dec 20, 2024

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Dec 13, 2024
edited
Loading

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

See #928
See cryostatio/cryostat-agent#383

Description of the change:

Reconfigures the make sample_app_agent to use the automatic Kubernetes serviceaccount token detection for authentication/authorization to the auth proxy. This will automatically in OpenShift. In other Kubernetes environments the user will need to patch the resulting Deployment to add CRYOSTAT_AGENT_AUTHORIZATION or CRYOSTAT_AGENT_AUTHORIZATION_TYPE+CRYOSTAT_AGENT_AUTHORIZATION_VALUE environment variables to match any oauth2-proxy Basic authentication that may be optionally configured.

Motivation for the change:

Exercises the latest best practice of using injected serviceaccount tokens managed by cluster RBAC, rather than using hardcoded long-lived tokens as part of the Deployment spec.

This probably still isn't exactly the best practice, as this grants the Role to the whole workload application and not only its Agent, so it's adding extra privileges to the workload that are not strictly required. It is useful and convenient as an example for testing and development, to demonstrate how the serviceaccount token system works with the Agent and the auth proxy, and it's better than giving the Agent an admin user token via environment variable which was commonly done for testing before.

The even more ideal situation is to configure the Agent with TLS client certificates properly and have it talk to the new TLS gateway proxy. I think that would be a good setup to exercise as a new sample app configuration at some point.

How to manually test:

  1. Get an OpenShift cluster
  2. Install Operator
  3. Create a Cryostat CR named cryostat-sample, ex make create_cryostat_cr
  4. make sample_app_agent
  5. Open Cryostat UI and ensure that the sample application appears on the Topology view. This may take a bit of time but should be relatively short.

Screenshot 2024-12-13 at 15-49-18 quarkus-cryostat-agent-7f778c5bb4-9g8n8 · Pod · Environment · Red Hat OpenShift Service on AWS

Screenshot 2024-12-13 at 15-49-09 Topology

@andrewazores andrewazores requested a review from ebaron December 13, 2024 20:48
@andrewazores andrewazores force-pushed the sample-app-agent-serviceaccount-token branch from 2754bcf to 365a020 Compare December 17, 2024 16:42
@andrewazores andrewazores force-pushed the sample-app-agent-serviceaccount-token branch from 365a020 to e4d464a Compare December 17, 2024 21:08
@andrewazores andrewazores merged commit d058b54 into cryostatio:main Dec 20, 2024
5 checks passed
@andrewazores andrewazores deleted the sample-app-agent-serviceaccount-token branch December 20, 2024 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebaron ebaron ebaron approved these changes

Assignees
No one assigned
Labels
safe-to-test test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrewazores @ebaron