Merge pull request #137 from Kuadrant/server-tls-cert

TLS for the external authorization service
Kuadrant · Jul 21, 2021 · 7612c49 · 7612c49
2 parents 8304ff2 + 52bd81e
commit 7612c49
Show file tree

Hide file tree

Showing 16 changed files with 343 additions and 85 deletions.
diff --git a/Makefile b/Makefile
@@ -177,9 +177,14 @@ namespace:
 NAMESPACE ?= $(AUTHORINO_NAMESPACE)
 DEPLOY_KEYCLOAK ?= $(DEPLOY_IDPS)
 DEPLOY_DEX ?= $(DEPLOY_IDPS)
+ifeq (,$(findstring -notls,$(AUTHORINO_DEPLOYMENT)))
+ENVOY_OVERLAY = tls
+else
+ENVOY_OVERLAY = notls
+endif
 example-apps:
 	kubectl -n $(NAMESPACE) apply -f examples/talker-api/talker-api-deploy.yaml
-	kubectl -n $(NAMESPACE) apply -f examples/envoy/envoy-deploy.yaml
+	$(KUSTOMIZE) build examples/envoy/overlays/$(ENVOY_OVERLAY) | kubectl -n $(NAMESPACE) apply -f -
 ifneq (, $(DEPLOY_KEYCLOAK))
 	kubectl -n $(NAMESPACE) apply -f examples/keycloak/keycloak-deploy.yaml
 endif

diff --git a/deploy/base/certmanager/kustomization.yaml b/deploy/base/certmanager/kustomization.yaml
@@ -6,6 +6,7 @@ kind: Kustomization
 
 resources:
 - issuer.yaml
+- server-cert.yaml
 - oidc-server-cert.yaml
 # - webhook-server-cert.yaml
 

diff --git a/deploy/base/certmanager/server-cert.yaml b/deploy/base/certmanager/server-cert.yaml
@@ -0,0 +1,17 @@
+# The following manifest contains a certificate CR for Authorino external authorization server
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 1.4.0 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server-cert
+  namespace: system
+spec:
+  dnsNames:
+  - authorino-authorization
+  - authorino-authorization.$(AUTHORINO_NAMESPACE).svc
+  - authorino-authorization.$(AUTHORINO_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: ca-issuer
+  secretName: authorino-server-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/deploy/overlays/cluster-wide/kustomization.yaml b/deploy/overlays/cluster-wide/kustomization.yaml
@@ -8,4 +8,5 @@ resources:
 namespace: authorino
 
 patchesStrategicMerge:
+- patches/server_cert_patch.yaml
 - patches/oidc_server_cert_patch.yaml
diff --git a/deploy/overlays/cluster-wide/patches/server_cert_patch.yaml b/deploy/overlays/cluster-wide/patches/server_cert_patch.yaml
@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        env:
+        - name: TLS_CERT
+          value: /etc/ssl/certs/tls.crt
+        - name: TLS_CERT_KEY
+          value: /etc/ssl/private/tls.key
+        volumeMounts:
+        - name: tls-cert
+          subPath: tls.crt
+          mountPath: /etc/ssl/certs/tls.crt
+          readOnly: true
+        - name: tls-cert
+          subPath: tls.key
+          mountPath: /etc/ssl/private/tls.key
+          readOnly: true
+      volumes:
+      - name: tls-cert
+        secret:
+          defaultMode: 420
+          secretName: authorino-server-cert
diff --git a/deploy/overlays/namespaced/kustomization.yaml b/deploy/overlays/namespaced/kustomization.yaml
@@ -8,4 +8,5 @@ resources:
 namespace: authorino
 
 patchesStrategicMerge:
+- patches/server_cert_patch.yaml
 - patches/oidc_server_cert_patch.yaml
diff --git a/deploy/overlays/namespaced/patches/server_cert_patch.yaml b/deploy/overlays/namespaced/patches/server_cert_patch.yaml
@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        env:
+        - name: TLS_CERT
+          value: /etc/ssl/certs/tls.crt
+        - name: TLS_CERT_KEY
+          value: /etc/ssl/private/tls.key
+        volumeMounts:
+        - name: tls-cert
+          subPath: tls.crt
+          mountPath: /etc/ssl/certs/tls.crt
+          readOnly: true
+        - name: tls-cert
+          subPath: tls.key
+          mountPath: /etc/ssl/private/tls.key
+          readOnly: true
+      volumes:
+      - name: tls-cert
+        secret:
+          defaultMode: 420
+          secretName: authorino-server-cert
diff --git a/docs/deploy.md b/docs/deploy.md
@@ -25,7 +25,7 @@ Apart from the obvious requirement of having a running instance of a Kubernetes
 <!-- TODO: Add minimum required Kubernetes version -->
 
 - Permission from the Kubernetes server to create Custom Resource Definitions (CRDs) during Authorino's installation. Cluster administrators can handle this requirement through the Kubernetes API Role-Based Access Control bindings.
-- [Envoy](https://www.envoyproxy.io) proxy (or, technically, any proxy that implements the client-side of the [gRPC protocol](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/ext_authz)). With Envoy, ultimately, virtual hosts will be associated to the upstream APIs to protect, and the [external authorization filter](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/ext_authz) should point to Authorino. Check [this example](/examples/envoy/envoy-deploy.yaml) if you need to.
+- [Envoy](https://www.envoyproxy.io) proxy (or, technically, any proxy that implements the client-side of the [gRPC protocol](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/ext_authz)). With Envoy, ultimately, virtual hosts will be associated to the upstream APIs to protect, and the [external authorization filter](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/ext_authz) should point to Authorino. Check [this example](/examples/envoy) if you need to.
 
 ### Feature-specific requirements
 

diff --git a/examples/envoy/base/envoy.yaml b/examples/envoy/base/envoy.yaml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy
+  labels:
+    app: authorino
+    svc: envoy
+spec:
+  selector:
+    matchLabels:
+      app: authorino
+      svc: envoy
+  template:
+    metadata:
+      labels:
+        app: authorino
+        svc: envoy
+    spec:
+      containers:
+        - name: envoy
+          image: envoyproxy/envoy:v1.17-latest
+          command: ["/usr/local/bin/envoy"]
+          args:
+            - --config-path /usr/local/etc/envoy/envoy.yaml
+            - --service-cluster front-proxy
+            - --log-level info
+            - --component-log-level filter:trace,http:debug,router:debug
+          ports:
+            - name: web
+              containerPort: 8000
+            - name: admin
+              containerPort: 8001
+          volumeMounts:
+            - name: config
+              mountPath: /usr/local/etc/envoy
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: envoy
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+  replicas: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy
+  labels:
+    app: authorino
+spec:
+  selector:
+    app: authorino
+    svc: envoy
+  ports:
+    - name: web
+      port: 8000
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-wildcard-host
+spec:
+  rules:
+    - host: "talker-api-authorino.127.0.0.1.nip.io"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: envoy
+                port:
+                  number: 8000
diff --git a/examples/envoy/base/kustomization.yaml b/examples/envoy/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- envoy.yaml
diff --git a/examples/envoy/envoy-deploy.yaml → examples/envoy/overlays/notls/configmap.yaml b/examples/envoy/envoy-deploy.yaml → examples/envoy/overlays/notls/configmap.yaml
@@ -1,80 +1,3 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: envoy
-  labels:
-    app: authorino
-    svc: envoy
-spec:
-  selector:
-    matchLabels:
-      app: authorino
-      svc: envoy
-  template:
-    metadata:
-      labels:
-        app: authorino
-        svc: envoy
-    spec:
-      containers:
-        - name: envoy
-          image: envoyproxy/envoy:v1.17-latest
-          command: ["/usr/local/bin/envoy"]
-          args:
-            - --config-path /usr/local/etc/envoy/envoy.yaml
-            - --service-cluster front-proxy
-            - --log-level info
-            - --component-log-level filter:trace,http:debug,router:debug
-          ports:
-            - name: web
-              containerPort: 8000
-            - name: admin
-              containerPort: 8001
-          volumeMounts:
-            - name: config
-              mountPath: /usr/local/etc/envoy
-              readOnly: true
-      volumes:
-        - name: config
-          configMap:
-            name: envoy
-            items:
-              - key: envoy.yaml
-                path: envoy.yaml
-  replicas: 1
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: envoy
-  labels:
-    app: authorino
-spec:
-  selector:
-    app: authorino
-    svc: envoy
-  ports:
-    - name: web
-      port: 8000
-      protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ingress-wildcard-host
-spec:
-  rules:
-    - host: "talker-api-authorino.127.0.0.1.nip.io"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: envoy
-                port:
-                  number: 8000
----
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/examples/envoy/overlays/notls/kustomization.yaml b/examples/envoy/overlays/notls/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../base
+- configmap.yaml