Controller authorization

charts/aserto-lib/templates/_config.tpl

@@ -32,43 +32,20 @@ valueFrom:
 {{- end }}
 
 
-{{- define "aserto-lib.controllerReadKeyEnv" -}}
-{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "read" "controller-keys") }}
+{{- define "aserto-lib.controllerKeyEnv" -}}
+{{- $scope := first . -}}
+{{- $keyType := last . -}}
+{{- with include "aserto-lib.controllerClientCfg" $scope | fromYaml -}}
+{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "controller-keys") }}
 {{- end }}
 {{- end }}
 
 
-{{- define "aserto-lib.controllerWriteKeyEnv" -}}
-{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "write" "controller-keys") }}
-{{- end }}
-{{- end }}
-
-
-{{- define "aserto-lib.controllerStoreKeyEnv" -}}
-{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "store" "controller-keys") }}
-{{- end }}
-{{- end }}
-
-{{- define "aserto-lib.directoryReadKeyEnv" -}}
-{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "read" "directory-keys") }}
-{{- end }}
-{{- end }}
-
-
-{{- define "aserto-lib.directoryWriteKeyEnv" -}}
-{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "write" "directory-keys") }}
-{{- end }}
-{{- end }}
-
-
-{{- define "aserto-lib.directoryStoreKeyEnv" -}}
-{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}}
-{{ include "aserto-lib.dsApiKeyEnv" (list . "store" "directory-keys") }}
+{{- define "aserto-lib.directoryKeyEnv" -}}
+{{- $scope := first . -}}
+{{- $keyType := last . -}}
+{{- with include "aserto-lib.directoryClientCfg" $scope | fromYaml -}}
+{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "directory-keys") }}
 {{- end }}
 {{- end }}
 

charts/aserto/values.yaml

@@ -46,11 +46,12 @@ global:
       # # Address and port of the controller's gRPC service.
       # # Default: controller.<namespace>.svc.cluster.local:8282
       # address: ""
-      # # [Optiona] Controller API keys. All three fields are required.
+      # # [Optiona] Controller API keys. All fields are required.
       # apiKeys:
       #   read: ""
       #   write: ""
-      #   store: ""
+      #   readStore: ""
+      #   writeStore: ""
       # # [Optional] Kubernetes secret containing the controller's API keys.
       # apiKeysSecret: controller-keys
       # # [Optional] Kubernetes secret containing the CA certificate of the root directory.
@@ -70,7 +71,8 @@ global:
       # apiKeys:
       #   read: ""
       #   write: ""
-      #   store: ""
+      #   readStore: ""
+      #   writeStore: ""
       # # [Optional] Kubernetes secret containing the directory's API keys.
       # apiKeysSecret: directory-keys
       # # [Optional] Kubernetes secret containing the directory's CA certificate.

charts/authorizer/templates/deployment.yaml

@@ -107,8 +107,10 @@ spec:
               readOnly: true
           {{- end }}
           env:
+          {{- with include "aserto-lib.controllerKeyEnv" (list . "read") }}
             - name: AUTHORIZER_DS0_API_KEY
-              {{- include "aserto-lib.controllerReadKeyEnv" . | nindent 14 }}
+              {{- . | nindent 14 }}
+          {{- end }}
 
           {{- with .Values.apiKey }}
             - name: AUTHORIZER_ROOT_KEY
@@ -118,7 +120,7 @@ spec:
                   key: {{ .secretKey }}
           {{- end }}
 
-          {{- with include "aserto-lib.directoryReadKeyEnv" . }}
+          {{- with include "aserto-lib.directoryKeyEnv" (list . "read") }}
             - name: AUTHORIZER_REMOTE_DIRECTORY_API_KEY
               {{- . | nindent 14 }}
           {{- end }}

charts/console/templates/deployment.yaml

@@ -55,7 +55,7 @@ spec:
             - name: DS0_TENANT_ID
               value: {{ .tenant_id }}
             {{- end }}
-            {{- with (include "aserto-lib.controllerStoreKeyEnv" .) }}
+            {{- with include "aserto-lib.controllerKeyEnv" (list . "read") }}
             - name: DS0_ROOT_KEY
               {{- . | nindent 14 }}
             {{- end }}

charts/controller/templates/api_keys.yaml

@@ -1,8 +1,8 @@
 {{- $cfg := include "aserto-lib.controllerClientCfg" . | fromYaml -}}
 
 {{- with $cfg.apiKeys -}}
-{{- if list .read .write .store | has nil -}}
-    {{- fail "controller.apiKeys must include 'read', 'write', and 'store' keys." -}}
+{{- if list .read .write .readStore .writeStore | has nil -}}
+    {{- fail "controller.apiKeys must include 'read', 'write', 'readStore', and 'writeStore' keys." -}}
 {{- end -}}
 {{- end -}}
 
@@ -14,7 +14,7 @@
 {{- else -}}
   {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }}
   {{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}}
-    {{- range (list "read" "write" "store") -}}
+    {{- range (list "read" "write" "readStore" "writeStore") -}}
       {{- $apiKeys = set $apiKeys . (dig "data" . (randAlphaNum 32 | b64enc) $secret) -}}
     {{- end -}}
   {{- end -}}

charts/controller/templates/config.yaml

@@ -76,22 +76,23 @@ stringData:
       bypass:
         - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo
         - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo
-      bypass_tenants:
-        - {{ include "aserto-lib.controllerTenantID" . }}
+        - /aserto.directory.reader.v3.Reader/Check
     {{- end }}
 
     authentication:
       authenticators_enabled:
         root_key: true
 
-      {{- with include "aserto-lib.oidcConfig" . }}
-        oidc: true
-      {{- end }}
-
       root_keys:
         keys:
-          - key: ${DIRECTORY_CONTROLLER_CLIENT_API_KEY}
-            account: "controller"
+          - key: ${DS_READ_KEY}
+            account: rk:controller:reader
+          - key: ${DS_WRITE_KEY}
+            account: rk:controller:writer
+          - key: ${STORE_READ_KEY}
+            account: rk:controller:store-reader
+          - key: ${STORE_WRITE_KEY}
+            account: rk:controller:store-writer
 
     {{- with include "aserto-lib.oidcConfig" . }}
       oidc:
@@ -106,7 +107,30 @@ stringData:
             anonymous: true
 
         - methods:
-            - /aserto.directory.reader.v3.Reader/Check
+            - /aserto.directory.store.v2.Store/GetTenant
+            - /aserto.directory.store.v2.Store/CreateTenant
+            - /aserto.directory.store.v2.Store/DeleteTenant
+            - /aserto.directory.store.v2.Store/ListTenants
+            - /aserto.directory.store.v2.Store/Info
+            - /aserto.directory.store.v2.Store/ListTenantMembers
+            - /aserto.directory.store.v2.Store/ListUserTenants
+            - /aserto.directory.store.v2.Store/AssignRoleToTenant
+            - /aserto.directory.store.v2.Store/RemoveRoleFromTenant
+            - /aserto.directory.store.v2.Store/ListAPIKeys
+            - /aserto.directory.store.v2.Store/DeleteAPIKey
+            - /aserto.directory.store.v2.Store/CreateAPIKey
+            - /aserto.directory.store.v2.Store/GetAPIKeyIdentity
+            - /aserto.directory.store.v2.Store/GetConfig
+            - /aserto.directory.store.v2.Store/SetConfig
+            - /aserto.directory.store.v2.Store/ListConfigs
+            - /aserto.directory.store.v2.Store/DeleteConfig
+            - /aserto.directory.store.v2.Store/GetSecret
+            - /aserto.directory.store.v2.Store/SetSecret
+            - /aserto.directory.store.v2.Store/ListSecrets
+            - /aserto.directory.store.v2.Store/DeleteSecret
           authenticators_enabled:
             root_key: true
+          {{- with include "aserto-lib.oidcConfig" . }}
+            oidc: true
+          {{- end }}
 

charts/controller/templates/deployment.yaml

@@ -84,11 +84,21 @@ spec:
           {{- end }}
 
           env:
+            {{- with include "aserto-lib.controllerKeyEnv" (list . "write") }}
             - name: DIRECTORY_CONTROLLER_CLIENT_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: controller-keys
-                  key: read
+              {{- . | nindent 14 }}
+            {{- end }}
+
+          {{- range $keyType, $varName := dict
+              "read" "DS_READ_KEY"
+              "write" "DS_WRITE_KEY"
+              "readStore" "STORE_READ_KEY"
+              "writeStore" "STORE_WRITE_KEY" -}}
+            {{- with include "aserto-lib.controllerKeyEnv" (list $ $keyType) }}
+            - name: {{ $varName }}
+              {{- . | nindent 14 }}
+            {{- end }}
+          {{- end }}
 
             {{- with .Values.database }}
             - name: DIRECTORY_DB_WRITER_USER

charts/controller/test/no-tls.values.yaml

@@ -1,6 +1,6 @@
 ---
 image:
-  tag: 0.33.10-bf02896d-amd64
+  tag: 0.33.11-c7bb8373-amd64
 
 imagePullSecrets:
   - name: ghcr-creds

charts/controller/test/tests.yaml

@@ -13,9 +13,10 @@ tests:
           password: controller_reader
       - name: controller-keys
         values:
-          read: controller-read-key
-          write: controller-write-key
-          store: controller-store-key
+          write: apikey_writer
+          read: apikey_reader
+          readStore: apikey_store_reader
+          writeStore: apikey_store_writer
     config_maps:
       - name: controller-admin-keys
         keys:
@@ -25,11 +26,15 @@ tests:
       - chart: controller
         values: no-tls.values.yaml
         ports:
+          2222: 2222
           8282: 8282
     run:
+      - |
+        ssh -i ${SSH_PRIVATE_KEY:-$(ls -1 ~/.ssh/id_* | head -1)} -p 2222 -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
+          localhost provision root-keys
       - |
         ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 00000000-0000-11ef-0000-000000000000 \
-          -k controller-read-key --stdout --plaintext
+          -k apikey_reader --stdout --plaintext
 
   - name: controller-tls
     pull_secret: $GITHUB_TOKEN
@@ -44,9 +49,10 @@ tests:
           password: controller_reader
       - name: controller-keys
         values:
-          read: controller-read-key
-          write: controller-write-key
-          store: controller-store-key
+          write: apikey_writer
+          read: apikey_reader
+          readStore: apikey_store_reader
+          writeStore: apikey_store_writer
       - name: grpc-cert
         files:
           tls.crt: $TOPAZ_CERTS_DIR/grpc.crt
@@ -65,8 +71,12 @@ tests:
       - chart: controller
         values: tls.values.yaml
         ports:
+          2222: 2222
           8282: 8282
     run:
+      - |
+        ssh -i ${SSH_PRIVATE_KEY:-$(ls -1 ~/.ssh/id_* | head -1)} -p 2222 -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
+          localhost provision root-keys
       - |
         ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 00000000-0000-11ef-0000-000000000000 \
-          -k controller-read-key --stdout --insecure
+          -k apikey_reader --stdout --insecure

charts/controller/test/tls.values.yaml

@@ -1,6 +1,6 @@
 ---
 image:
-  tag: 0.33.10-bf02896d-amd64
+  tag: 0.33.11-c7bb8373-amd64
 
 imagePullSecrets:
   - name: ghcr-creds

charts/directory/templates/_helpers.tpl

@@ -81,9 +81,10 @@ Create the name of the service account to use
 {{- end}}
 
 
-{{- define "directory.controllerReadKeyEnv" -}}
-{{- if .Values.controller.enabled -}}
-{{ include "aserto-lib.controllerReadKeyEnv" . }}
+{{- define "directory.controllerKeyEnv" -}}
+{{- $scope := first . -}}
+{{- if $scope.Values.controller.enabled -}}
+{{ include "aserto-lib.controllerKeyEnv" . }}
 {{- end }}
 {{- end }}
 

charts/directory/templates/api_keys.yaml

@@ -1,8 +1,8 @@
 {{- $cfg := include "aserto-lib.directoryClientCfg" . | fromYaml -}}
 
 {{- with $cfg.apiKeys -}}
-{{- if list .read .write .store | has nil -}}
-    {{- fail "directory.apiKeys must include 'read', 'write', and 'store' keys." -}}
+{{- if list .read .write .readStore  .writeStore | has nil -}}
+    {{- fail "directory.apiKeys must include 'read', 'write', 'readStore' and 'writeStore' keys." -}}
 {{- end -}}
 {{- end -}}
 
@@ -14,7 +14,7 @@
 {{- else -}}
   {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }}
   {{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}}
-    {{- range (list "read" "write" "store") -}}
+    {{- range (list "read" "write" "readStore" "writeStore") -}}
       {{- $apiKeys = set $apiKeys . (dig "data" . (randAlphaNum 32 | b64enc) $secret) -}}
     {{- end -}}
   {{- end -}}

charts/directory/templates/config.yaml

@@ -95,19 +95,27 @@ stringData:
 
       root_keys:
         keys:
-          - key: ${DIRECTORY_DS_WRITE_KEY}
-            account: rk:directory-writer
-          - key: ${DIRECTORY_DS_READ_KEY}
-            account: rk:directory-reader
-          - key: ${DIRECTORY_DS_STORE_KEY}
-            account: rk:directory-store-writer
+          - key: ${DS_READ_KEY}
+            account: rk:directory:reader
+          - key: ${DS_WRITE_KEY}
+            account: rk:directory:writer
+          - key: ${STORE_READ_KEY}
+            account: rk:directory:store-reader
+          - key: ${STORE_WRITE_KEY}
+            account: rk:directory:store-writer
 
 
     {{- with include "aserto-lib.oidcConfig" . }}
       oidc:
         {{- . | nindent 8 }}
     {{- end }}
 
+    {{- if .Values.controller.enabled }}
+      machine_accounts:
+        use_controller_resolver: true
+    {{- end }}
+
+
       override:
         - methods:
             - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo