Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-23255: emailsender read auth cfg from kubernetes #1860

Merged
merged 8 commits into from
Jun 6, 2024
Merged

ROX-23255: emailsender read auth cfg from kubernetes #1860

merged 8 commits into from
Jun 6, 2024

Conversation

johannes94
Copy link
Contributor

@johannes94 johannes94 commented Jun 5, 2024
edited
Loading

Description

Follow Up on #1826 .

This adds a function to the AuthConfig of emailsender that allows reading it from it's own Kubernetes service account.

emailsender is expected to be called by central with it's Kubernetes service account. Since emailsender has its own service account as well we can use that information to read the configuration values required for authentication (issuer, audience, jwks_url).

This way we don't need a config file / config map that is different per environment we deploy to, where we have to manually managed the input vars (e.g addon parameters).

Checklist (Definition of Done)

  • Unit and integration tests added
  • Added test description under Test manual
  • Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
  • CI and all relevant tests are passing
  • Add the ticket number to the PR title if available, i.e. ROX-12345: ...
  • Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
  • Add secret to app-interface Vault or Secrets Manager if necessary
  • RDS changes were e2e tested manually
  • Check AWS limits are reasonable for changes provisioning new resources
  • (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

  • Deployed the emailsender service to kube
  • Create a dummy pod central in a dummy namespace rhacs-test with nginx image called central
  • Exec into that pod and send a curl to emailsender with the serviceaccount -> works
  • Send the curl without authentication -> is blocked
# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

@johannes94 johannes94 requested a review from kurlov June 5, 2024 04:30
@openshift-ci openshift-ci bot added the approved label Jun 5, 2024
@johannes94 johannes94 changed the base branch from main to jmalsam/ROX-23255-emailsender-auth June 5, 2024 04:33
@johannes94 johannes94 changed the title ROX-23255: emailsender read auth configuration from own SA token ROX-23255: emailsender read auth cfg from kubernetes Jun 6, 2024
johannes94
johannes94 commented Jun 6, 2024
View reviewed changes
pkg/shared/tls.go

// TLSWithAdditionalCAs returns a tls config with addiotional trusted ca certificates.
// It uses the systems default certificates and appends the CA certificates in the given files.
func TLSWithAdditionalCAs(caFiles ...string) (*tls.Config, error) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kurlov I copied a lot of this logic from the PR you already review in the core repo. The function itself is still somewhat different, as it errors on failed certificates loads and does not return a full http.Transport like here.

@openshift-ci openshift-ci bot added the lgtm label Jun 6, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 6, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, kurlov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kurlov
Copy link
Member

kurlov commented Jun 6, 2024

Looks great 🎉

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 6, 2024

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci bot removed the lgtm label Jun 6, 2024
@johannes94 johannes94 merged commit 98f3fb5 into jmalsam/ROX-23255-emailsender-auth Jun 6, 2024
3 checks passed
@johannes94 johannes94 deleted the jmalsam/ROX-23255-emailsender-sa-auth branch June 6, 2024 17:53
johannes94 added a commit that referenced this pull request Jun 7, 2024
@johannes94
ROX-23255: add auth implementation for emailsender API (#1826)
87fc497 
* add authentication for ocm for dev and test purposes

* add authentication for kubernetes service accounts

* prepare getting sub from auth context for rate limitting

* add authorization based on issuer, audience, subject and org id

* emailsender read auth cfg from kubernetes (#1860)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kurlov kurlov kurlov approved these changes

Assignees

@kurlov kurlov

Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@johannes94 @kurlov