Skip to content

Feature/k8s token authentication #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 48 commits into
base: main
Choose a base branch
from
Open

Feature/k8s token authentication #64

wants to merge 48 commits into from

Conversation

@nurtai325
Copy link

@nurtai325 nurtai325 commented Aug 22, 2025

No description provided.

@nurtai325 nurtai325 requested a review from lis0x90 as a code owner August 22, 2025 12:58
@github-actions
Copy link

github-actions bot commented Aug 22, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@nurtai325
Copy link
Author

nurtai325 commented Aug 26, 2025

I have read the CLA Document and I hereby sign the CLA

nurtai325 and others added 19 commits August 26, 2025 17:19
@nurtai325
rename service.AuthService.IsAccessGranted to IsAccessGrantedWithBasic
ebb226b
@nurtai325
oidc: remove using ca.crt from kubernetes and always use token. infer
7063834 
issuer from the token
@nurtai325
oidc: get issuer from the service account token mounted
f87b0f6
@nurtai325
oidc: remove function for inferring whether to use secure client or not
a3d5257 
looking at issuer url
@nurtai325
auth: refactor SecurityMiddleware with regexes
b22b36f
@nurtai325
server.go: comment out creating oidc verifier
b8bda8a
@nurtai325
server.go: uncomment creating oidc verifier
6ece949
@nurtai325
oidc: place tokendir to config so we can override it
42a036a
@nurtai325
oidc: remove kubernetes.oidc.tokendir config value
8f4a008
@nurtai325
oidc: fix integration tests by making a mock oidc server test contain…
2f595a6 
…er at startup
@nurtai325
oidc: when inferring issuer from kubernetes token accept tokens with
7850c08 
none alg
@nurtai325
oidc: add default constructors to kubernetes.oidc.fileTokenSource and
fd80b6a 
kubernetes.oidc.Verifier
@nurtai325
oidc: for integration testing make a testcontainer with oidc-server
712a9fb
@nurtai325
oidc: in integration tests use dex oidc server instead of custom server
595e0b1
@nurtai325
oidc: rename package logger
9452140
@nurtai325
update Dockerfile base image version to 1.2.0
2801bc6
@nurtai325
Merge branch 'main' into feature/k8s-token-authentication
b7987a7
@nurtai325
fix: go.mod
169f664
@nurtai325
Merge branch 'main' into feature/k8s-token-authentication
61b368b
@lis0x90 lis0x90 requested a review from Smet2133 October 3, 2025 07:24
@nurtai325 nurtai325 marked this pull request as draft October 3, 2025 10:05
@github-actions github-actions bot added the enhancement New feature or request label Oct 14, 2025
@nurtai325 nurtai325 marked this pull request as ready for review October 14, 2025 15:01
@Netcracker Netcracker deleted a comment from sonarqubecloud bot Oct 14, 2025
@nurtai325 nurtai325 force-pushed the feature/k8s-token-authentication branch from da0c408 to 6f92c54 Compare October 15, 2025 06:15
@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 15, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
84.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Smet2133
Smet2133 reviewed Oct 17, 2025
View reviewed changes
maas-integration-tests/src/test/resources/dex-config.yaml
http: 0.0.0.0:5556

telemetry:
http: 0.0.0.0:5558
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this port used?

maas-integration-tests/src/test/resources/dex-config.yaml
http: 0.0.0.0:5558

grpc:
addr: 0.0.0.0:5557
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this port used?

maas-integration-tests/src/test/resources/dex-config.yaml
issuer: http://oidc-server:5556/dex

storage:
type: sqlite3
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need sqlite3 for tests?

maas-integration-tests/src/test/resources/dex-config.yaml
grpc:
addr: 0.0.0.0:5557

connectors:
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do we mock?

maas-integration-tests/src/test/java/org/qubership/it/maas/AbstractMaasWithInitsIT.java
)
.withNetwork(TEST_NETWORK)
.withExposedPorts(8080)
.withCopyFileToContainer(MountableFile.forHostPath(oidcTokenTempFile.toAbsolutePath()), "/var/run/secrets/kubernetes.io/serviceaccount/token")
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where are the actual tests that use new auth ?

Copy link
Author

@nurtai325 nurtai325 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is added because when application starts it looks for token and makes OIDC discovery. and this is added to prevent app from crashing at start in tests

maas/maas-service/controller/controller_common_funcs.go
account = serviceAccount
default:
if slices.Contains(roles, model.AnonymousRole) {
log.WarnC(userCtx, "Anonymous access will be dropped in future releases for: %s", ctx.OriginalURL())
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code duplication. just check if the role == AnonymousRole in the beginning and skip other steps

maas/maas-service/controller/account_controller.go

log.InfoC(ctx, "Received request on create one more manage account")
if _, err := a.service.IsAccessGranted(ctx, username, password, model.ManagerAccountNamespace, []model.RoleName{model.ManagerRole}); err != nil {
if _, err := a.service.IsAccessGrantedWithBasic(ctx, username, password, model.ManagerAccountNamespace, []model.RoleName{model.ManagerRole}); err != nil {
Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so we have no option to create manager accounts with token? how can we deprecate the basic auth approach then?

Copy link
Contributor

@Smet2133 Smet2133 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about client account for deployer v3?

Copy link
Author

@nurtai325 nurtai325 Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not decided yet. it will be decided when maas becomes an operator. see stage 3 here. https://bass.netcracker.com/display/CPSEC/M2M+MaaS+Design

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Smet2133 Smet2133 Smet2133 left review comments

@lis0x90 lis0x90 Awaiting requested review from lis0x90 lis0x90 is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nurtai325 @Smet2133