Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/344: gatekeeper improvements #379

Merged
merged 4 commits into from
Feb 3, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,12 @@ metadata:
app: "{{ .app.harness.service.name }}-gk"
data:
proxy.yml: |-
verbose: true
verbose: {{ .root.Values.debug }}
discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/auth/realms/{{ .root.Values.namespace }}
client-id: {{ .root.Values.apps.accounts.webclient.id | quote }}
client-secret: {{ .root.Values.apps.accounts.webclient.secret }}
secure-cookie: {{ $tls }}
forbidden-page: /templates/access-denied.html.tmpl
listen: 0.0.0.0:8080
enable-refresh-tokens: true
tls-cert:
Expand All @@ -31,6 +32,43 @@ data:
skip-openid-provider-tls-verify: true
{{- end }}
cacert.crt: {{ .files.Get "resources/certs/cacert.crt" | quote }}
access-denied.html.tmpl: |-
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>403 - Access Forbidden</title>
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">
<script src="https://code.jquery.com/jquery-1.11.3.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
<style>
.oops {
font-size: 9em;
letter-spacing: 2px;
}
.message {
font-size: 3em;
}
</style>
</head>
<body>
<div class="container text-center">
<div class="row vcenter" style="margin-top: 20%;">
<div class="col-md-12">
<div class="error-template">
<h1 class="oops">Oops!</h1>
<h2 class="message">403 Permission Denied</h2>
<div class="error-details">
Sorry, you do not have access to this page, please contact your administrator.
If you have been assigned new authorizations try to <a href="/oauth/logout?redirect=/">login again</a>.
</div>
</div>
</div>
</div>
</div>

</body>
</html>
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -65,17 +103,12 @@ spec:
{{ include "deploy_utils.etcHosts" .root | indent 6 }}
containers:
- name: {{ .app.harness.service.name | quote }}
image: "gcr.io/metacellllc/louketo-proxy:1.0.0"
image: "quay.io/gogatekeeper/gatekeeper:1.3.8"
imagePullPolicy: IfNotPresent
{{ if .root.Values.local }}
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
command:
- "/bin/bash"
- "-c"
args:
- "sleep 10 && /bin/update-ca-trust force enable && /bin/update-ca-trust && /opt/louketo/louketo-proxy"
{{- end }}
env:
- name: PROXY_CONFIG_FILE
Expand All @@ -87,6 +120,9 @@ spec:
- name: "{{ .app.harness.service.name }}-gk-proxy-config"
mountPath: /etc/pki/ca-trust/source/anchors/cacert.crt
subPath: cacert.crt
- name: "{{ .app.harness.service.name }}-gk-proxy-config"
mountPath: /templates/access-denied.html.tmpl
subPath: access-denied.html.tmpl
ports:
- name: http
containerPort: 8080
Expand Down
43 changes: 31 additions & 12 deletions tools/cloudharness_utilities/utils.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import socket
import glob
import subprocess
import os
Expand All @@ -23,6 +24,7 @@ def image_name_from_dockerfile_path(dockerfile_path, base_name=None):
def app_name_from_path(dockerfile_path):
return "-".join(p for p in dockerfile_path.split("/") if p not in NEUTRAL_PATHS)


def get_sub_paths(base_path):
return tuple(path for path in glob.glob(base_path + "/*") if os.path.isdir(path))

Expand All @@ -49,9 +51,16 @@ def env_variable(name, value):


def get_cluster_ip():
out = subprocess.check_output(['kubectl', 'cluster-info'], timeout=10).decode("utf-8")
out = subprocess.check_output(
['kubectl', 'cluster-info'], timeout=10).decode("utf-8")
ip = out.split('\n')[0].split('://')[1].split(':')[0]
return ip
return ip if not "kubernetes.docker.internal" == ip else get_host_address()


def get_host_address():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
return s.getsockname()[0]


def robust_load_json(json_path):
Expand All @@ -67,7 +76,8 @@ def robust_load_json(json_path):


def get_json_template(json_path, base_default=False):
default_template_path = os.path.join(HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(json_path))
default_template_path = os.path.join(
HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(json_path))
dict_template = {}
if base_default and os.path.exists(default_template_path):
dict_template = robust_load_json(default_template_path)
Expand All @@ -79,7 +89,8 @@ def get_json_template(json_path, base_default=False):


def get_template(yaml_path, base_default=False):
default_template_path = os.path.join(HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(yaml_path))
default_template_path = os.path.join(
HERE, DEPLOYMENT_CONFIGURATION_PATH, os.path.basename(yaml_path))
dict_template = {}
if base_default and os.path.exists(default_template_path):
with open(default_template_path) as f:
Expand Down Expand Up @@ -111,7 +122,8 @@ def replaceindir(root_src_dir, source, replace):
for dirname in dirs:
if source in dirname:
dirpath = os.path.join(src_dir, dirname)
movedircontent(dirpath, dirpath.replace(source, to_python_module(replace)))
movedircontent(dirpath, dirpath.replace(
source, to_python_module(replace)))

for src_dir, dirs, files in os.walk(root_src_dir):
for file_ in files:
Expand Down Expand Up @@ -154,7 +166,8 @@ def copymergedir(root_src_dir, root_dst_dir):
try:
shutil.copy(src_file, dst_dir)
except:
logging.warning("Error copying file %s to %s.", src_file, dst_dir)
logging.warning("Error copying file %s to %s.",
src_file, dst_dir)


def movedircontent(root_src_dir, root_dst_dir):
Expand All @@ -164,7 +177,8 @@ def movedircontent(root_src_dir, root_dst_dir):
:param root_dst_dir:
:return:
"""
logging.info('Moving directory content from %s to %s', root_src_dir, root_dst_dir)
logging.info('Moving directory content from %s to %s',
root_src_dir, root_dst_dir)
for src_dir, dirs, files in os.walk(root_src_dir):
dst_dir = src_dir.replace(root_src_dir, root_dst_dir, 1)
if not os.path.exists(dst_dir):
Expand All @@ -174,17 +188,20 @@ def movedircontent(root_src_dir, root_dst_dir):
dst_file = os.path.join(dst_dir, file_)

try:
shutil.move(src_file, os.path.join(dst_dir, os.path.basename(src_file)))
shutil.move(src_file, os.path.join(
dst_dir, os.path.basename(src_file)))
except:
logging.warning("Error moving file %s to %s.", src_file, dst_dir, exc_info=True)
logging.warning("Error moving file %s to %s.",
src_file, dst_dir, exc_info=True)
shutil.rmtree(root_src_dir)


def merge_configuration_directories(source, dest):
if not os.path.exists(source):
return
if not os.path.exists(dest):
shutil.copytree(source, dest, ignore=shutil.ignore_patterns(*EXCLUDE_PATHS))
shutil.copytree(
source, dest, ignore=shutil.ignore_patterns(*EXCLUDE_PATHS))
return

for src_dir, dirs, files in os.walk(source):
Expand All @@ -205,7 +222,8 @@ def merge_configuration_directories(source, dest):

try:
merge_yaml_files(fpath, fdest)
logging.info(f"Merged/overridden file content of {fdest} with {fpath}")
logging.info(
f"Merged/overridden file content of {fdest} with {fpath}")
except yaml.YAMLError as e:
logging.warning(f"Overwriting file {fdest} with {fpath}")
shutil.copy2(fpath, fdest)
Expand All @@ -229,7 +247,8 @@ def merge_to_yaml_file(content_src, fdest):
with open(fdest) as f:
content_dest = yaml.safe_load(f)

merged = dict_merge(content_dest, content_src) if content_dest else content_src
merged = dict_merge(
content_dest, content_src) if content_dest else content_src

if not os.path.exists(os.path.dirname(fdest)):
os.makedirs(os.path.dirname(fdest))
Expand Down