Skip to content

Commit

Permalink
Merge pull request #379 from MetaCell/feature/344
Browse files Browse the repository at this point in the history 
Feature/344: gatekeeper improvements
  • Loading branch information
@zsinnema
zsinnema authored Feb 3, 2022
2 parents fa60e66 + 414250b commit 6273a30
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 19 deletions.
50 changes: 43 additions & 7 deletions tools/cloudharness_utilities/deployment-configuration/helm/templates/auto-gatekeepers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,12 @@ metadata:
app: "{{ .app.harness.service.name }}-gk"
data:
proxy.yml: |-
verbose: true
verbose: {{ .root.Values.debug }}
discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/auth/realms/{{ .root.Values.namespace }}
client-id: {{ .root.Values.apps.accounts.webclient.id | quote }}
client-secret: {{ .root.Values.apps.accounts.webclient.secret }}
secure-cookie: {{ $tls }}
forbidden-page: /templates/access-denied.html.tmpl
listen: 0.0.0.0:8080
enable-refresh-tokens: true
tls-cert:
Expand All @@ -31,6 +32,43 @@ data:
skip-openid-provider-tls-verify: true
{{- end }}
cacert.crt: {{ .files.Get "resources/certs/cacert.crt" | quote }}
access-denied.html.tmpl: |-
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>403 - Access Forbidden</title>
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">
<script src="https://code.jquery.com/jquery-1.11.3.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
<style>
.oops {
font-size: 9em;
letter-spacing: 2px;
}
.message {
font-size: 3em;
}
</style>
</head>
<body>
<div class="container text-center">
<div class="row vcenter" style="margin-top: 20%;">
<div class="col-md-12">
<div class="error-template">
<h1 class="oops">Oops!</h1>
<h2 class="message">403 Permission Denied</h2>
<div class="error-details">
Sorry, you do not have access to this page, please contact your administrator.
If you have been assigned new authorizations try to <a href="/oauth/logout?redirect=/">login again</a>.
</div>
</div>
</div>
</div>
</div>
</body>
</html>
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -65,17 +103,12 @@ spec:
{{ include "deploy_utils.etcHosts" .root | indent 6 }}
containers:
- name: {{ .app.harness.service.name | quote }}
image: "gcr.io/metacellllc/louketo-proxy:1.0.0"
image: "quay.io/gogatekeeper/gatekeeper:1.3.8"
imagePullPolicy: IfNotPresent
{{ if .root.Values.local }}
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
command:
- "/bin/bash"
- "-c"
args:
- "sleep 10 && /bin/update-ca-trust force enable && /bin/update-ca-trust && /opt/louketo/louketo-proxy"
{{- end }}
env:
- name: PROXY_CONFIG_FILE
Expand All @@ -87,6 +120,9 @@ spec:
- name: "{{ .app.harness.service.name }}-gk-proxy-config"
mountPath: /etc/pki/ca-trust/source/anchors/cacert.crt
subPath: cacert.crt
- name: "{{ .app.harness.service.name }}-gk-proxy-config"
mountPath: /templates/access-denied.html.tmpl
subPath: access-denied.html.tmpl
ports:
- name: http
containerPort: 8080
Expand Down
43 changes: 31 additions & 12 deletions tools/cloudharness_utilities/utils.py
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import socket
import glob
import subprocess
import os
Expand All @@ -23,6 +24,7 @@ def image_name_from_dockerfile_path(dockerfile_path, base_name=None):
def app_name_from_path(dockerfile_path):
return "-".join(p for p in dockerfile_path.split("/") if p not in NEUTRAL_PATHS)


def get_sub_paths(base_path):
return tuple(path for path in glob.glob(base_path + "/*") if os.path.isdir(path))

Expand All @@ -49,9 +51,16 @@ def env_variable(name, value):


def get_cluster_ip():
out = subprocess.check_output(['kubectl', 'cluster-info'], timeout=10).decode("utf-8")
out = subprocess.check_output(
['kubectl', 'cluster-info'], timeout=10).decode("utf-8")
ip = out.split('\n')[0].split('://')[1].split(':')[0]
return ip
return ip if not "kubernetes.docker.internal" == ip else get_host_address()


def get_host_address():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
return s.getsockname()[0]


def robust_load_json(json_path):
Expand All @@ -67,7 +76,8 @@ def robust_load_json(json_path):


def get_json_template(json_path, base_default=False):
default_template_path = os.path.join(HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(json_path))
default_template_path = os.path.join(
HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(json_path))
dict_template = {}
if base_default and os.path.exists(default_template_path):
dict_template = robust_load_json(default_template_path)
Expand All @@ -79,7 +89,8 @@ def get_json_template(json_path, base_default=False):


def get_template(yaml_path, base_default=False):
default_template_path = os.path.join(HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(yaml_path))
default_template_path = os.path.join(
HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(yaml_path))
dict_template = {}
if base_default and os.path.exists(default_template_path):
with open(default_template_path) as f:
Expand Down Expand Up @@ -111,7 +122,8 @@ def replaceindir(root_src_dir, source, replace):
for dirname in dirs:
if source in dirname:
dirpath = os.path.join(src_dir, dirname)
movedircontent(dirpath, dirpath.replace(source, to_python_module(replace)))
movedircontent(dirpath, dirpath.replace(
source, to_python_module(replace)))

for src_dir, dirs, files in os.walk(root_src_dir):
for file_ in files:
Expand Down Expand Up @@ -154,7 +166,8 @@ def copymergedir(root_src_dir, root_dst_dir):
try:
shutil.copy(src_file, dst_dir)
except:
logging.warning("Error copying file %s to %s.", src_file, dst_dir)
logging.warning("Error copying file %s to %s.",
src_file, dst_dir)


def movedircontent(root_src_dir, root_dst_dir):
Expand All @@ -164,7 +177,8 @@ def movedircontent(root_src_dir, root_dst_dir):
:param root_dst_dir:
:return:
"""
logging.info('Moving directory content from %s to %s', root_src_dir, root_dst_dir)
logging.info('Moving directory content from %s to %s',
root_src_dir, root_dst_dir)
for src_dir, dirs, files in os.walk(root_src_dir):
dst_dir = src_dir.replace(root_src_dir, root_dst_dir, 1)
if not os.path.exists(dst_dir):
Expand All @@ -174,17 +188,20 @@ def movedircontent(root_src_dir, root_dst_dir):
dst_file = os.path.join(dst_dir, file_)

try:
shutil.move(src_file, os.path.join(dst_dir, os.path.basename(src_file)))
shutil.move(src_file, os.path.join(
dst_dir, os.path.basename(src_file)))
except:
logging.warning("Error moving file %s to %s.", src_file, dst_dir, exc_info=True)
logging.warning("Error moving file %s to %s.",
src_file, dst_dir, exc_info=True)
shutil.rmtree(root_src_dir)


def merge_configuration_directories(source, dest):
if not os.path.exists(source):
return
if not os.path.exists(dest):
shutil.copytree(source, dest, ignore=shutil.ignore_patterns(*EXCLUDE_PATHS))
shutil.copytree(
source, dest, ignore=shutil.ignore_patterns(*EXCLUDE_PATHS))
return

for src_dir, dirs, files in os.walk(source):
Expand All @@ -205,7 +222,8 @@ def merge_configuration_directories(source, dest):

try:
merge_yaml_files(fpath, fdest)
logging.info(f"Merged/overridden file content of {fdest} with {fpath}")
logging.info(
f"Merged/overridden file content of {fdest} with {fpath}")
except yaml.YAMLError as e:
logging.warning(f"Overwriting file {fdest} with {fpath}")
shutil.copy2(fpath, fdest)
Expand All @@ -229,7 +247,8 @@ def merge_to_yaml_file(content_src, fdest):
with open(fdest) as f:
content_dest = yaml.safe_load(f)

merged = dict_merge(content_dest, content_src) if content_dest else content_src
merged = dict_merge(
content_dest, content_src) if content_dest else content_src

if not os.path.exists(os.path.dirname(fdest)):
os.makedirs(os.path.dirname(fdest))
Expand Down

0 comments on commit 6273a30

Please sign in to comment.