cryostatio · ebaron · Aug 26, 2022 · Aug 17, 2022 · Aug 18, 2022 · Aug 18, 2022
diff --git a/api/v1beta1/cryostat_types.go b/api/v1beta1/cryostat_types.go
@@ -90,6 +90,10 @@ type CryostatSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Resources ResourceConfigList `json:"resources,omitempty"`
+	// A permission mapping from Cryostat resources to Kubernetes resources used for authorization.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	AuthProperties AuthPropertiesConfigMap `json:"authProperties,omitempty"`
 }
 
 type ResourceConfigList struct {
@@ -402,3 +406,12 @@ type TemplateConfigMap struct {
 	// Filename within config map containing the template file
 	Filename string `json:"filename"`
 }
+
+// A ConfigMap containing a permission mapping between Cryostat resources to Kubernetes resources.
+type AuthPropertiesConfigMap struct {
+	// Name of config map in the local namespace.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:ConfigMap"}
+	ConfigMapName string `json:"configMapName"`
+	// Filename within config map containing the resource mapping.
+	Filename string `json:"filename"`
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -120,6 +120,15 @@ spec:
         name: ""
         version: v1
       specDescriptors:
+      - description: A permission mapping from Cryostat resources to Kubernetes resources
+          used for authorization.
+        displayName: Auth Properties
+        path: authProperties
+      - description: Name of config map in the local namespace.
+        displayName: Config Map Name
+        path: authProperties.configMapName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
       - description: Use cert-manager to secure in-cluster communication between Cryostat
           components. Requires cert-manager to be installed.
         displayName: Enable cert-manager Integration

diff --git a/bundle/manifests/operator.cryostat.io_cryostats.yaml b/bundle/manifests/operator.cryostat.io_cryostats.yaml
@@ -43,6 +43,21 @@ spec:
           spec:
             description: CryostatSpec defines the desired state of Cryostat
             properties:
+              authProperties:
+                description: A permission mapping from Cryostat resources to Kubernetes
+                  resources used for authorization.
+                properties:
+                  configMapName:
+                    description: Name of config map in the local namespace.
+                    type: string
+                  filename:
+                    description: Filename within config map containing the resource
+                      mapping.
+                    type: string
+                required:
+                - configMapName
+                - filename
+                type: object
               enableCertManager:
                 description: Use cert-manager to secure in-cluster communication between
                   Cryostat components. Requires cert-manager to be installed.

diff --git a/config/crd/bases/operator.cryostat.io_cryostats.yaml b/config/crd/bases/operator.cryostat.io_cryostats.yaml
@@ -44,6 +44,21 @@ spec:
           spec:
             description: CryostatSpec defines the desired state of Cryostat
             properties:
+              authProperties:
+                description: A permission mapping from Cryostat resources to Kubernetes
+                  resources used for authorization.
+                properties:
+                  configMapName:
+                    description: Name of config map in the local namespace.
+                    type: string
+                  filename:
+                    description: Filename within config map containing the resource
+                      mapping.
+                    type: string
+                required:
+                - configMapName
+                - filename
+                type: object
               enableCertManager:
                 description: Use cert-manager to secure in-cluster communication between
                   Cryostat components. Requires cert-manager to be installed.

diff --git a/config/manifests/bases/cryostat-operator.clusterserviceversion.yaml b/config/manifests/bases/cryostat-operator.clusterserviceversion.yaml
@@ -108,6 +108,15 @@ spec:
         name: ""
         version: v1
       specDescriptors:
+      - description: A permission mapping from Cryostat resources to Kubernetes resources
+          used for authorization.
+        displayName: Auth Properties
+        path: authProperties
+      - description: Name of config map in the local namespace.
+        displayName: Config Map Name
+        path: authProperties.configMapName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
       - description: Use cert-manager to secure in-cluster communication between Cryostat
           components. Requires cert-manager to be installed.
         displayName: Enable cert-manager Integration

diff --git a/docs/config.md b/docs/config.md
@@ -267,3 +267,37 @@ spec:
     targetCacheSize: -1
     targetCacheTTL: 10
 ```
+
+
+### Authorization Properties
+
+When running on Openshift, the user is required to have sufficient permissions to certain resources that
+are mapped into Cryostat-managed resources for authorization.
+
+The mappings can be specified using a ConfigMap that is compatible with [`OpenShiftAuthManager.properties`](https://github.com/cryostatio/cryostat/blob/main/src/main/resources/io/cryostat/net/openshift/OpenShiftAuthManager.properties). For example:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: auth-properties
+data:  
+  auth.properties: |
+    TARGET=pods,deployments.apps
+    RECORDING=pods,pods/exec
+    CERTIFICATE=deployments.apps,pods,cryostats.operator.cryostat.io
+    CREDENTIALS=cryostats.operator.cryostat.io
+```
+
+The property `.spec.authProperties` can then be set to this ConfigMap to configure Cryostat to use this mapping instead of the default ones.
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  authProperties:
+    configMapName: auth-properties
+    filename: auth.properties
+```
+
+Each `configMapName` must refer to the name of a Config Map in the same namespace as Cryostat. The corresponding `filename` must be a key within that Config Map containting resource mappings.
diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -351,6 +351,28 @@ func NewPodForCR(cr *operatorv1beta1.Cryostat, specs *ServiceSpecs, imageTags *I
 		volumes = append(volumes, eventTemplateVolume)
 	}
 
+	// Add Auth properties as a volume if specified
+	if cr.Spec.AuthProperties != (operatorv1beta1.AuthPropertiesConfigMap{}) {
+		authResourceVolume := corev1.Volume{
+			Name: "auth-properties-" + cr.Spec.AuthProperties.ConfigMapName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: cr.Spec.AuthProperties.ConfigMapName,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  cr.Spec.AuthProperties.Filename,
+							Path: "OpenShiftAuthManager.properties",
+							Mode: &readOnlyMode,
+						},
+					},
+				},
+			},
+		}
+		volumes = append(volumes, authResourceVolume)
+	}
+
 	// Ensure PV mounts are writable
 	sc := &corev1.PodSecurityContext{
 		FSGroup: &fsGroup,
@@ -498,6 +520,7 @@ func NewCoreContainer(cr *operatorv1beta1.Cryostat, specs *ServiceSpecs, imageTa
 	templatesPath := "/opt/cryostat.d/templates.d"
 	clientlibPath := "/opt/cryostat.d/clientlib.d"
 	probesPath := "/opt/cryostat.d/probes.d"
+	authPropertiesPath := "/app/resources/io/cryostat/net/openshift/OpenShiftAuthManager.properties"
 	envs := []corev1.EnvVar{
 		{
 			Name:  "CRYOSTAT_WEB_PORT",
@@ -669,6 +692,16 @@ func NewCoreContainer(cr *operatorv1beta1.Cryostat, specs *ServiceSpecs, imageTa
 		},
 	}
 
+	// Mount Auth properties if specified
+	if cr.Spec.AuthProperties != (operatorv1beta1.AuthPropertiesConfigMap{}) {
+		mounts = append(mounts, corev1.VolumeMount{
+			Name:      "auth-properties-" + cr.Spec.AuthProperties.ConfigMapName,
+			MountPath: authPropertiesPath,
+			SubPath:   "OpenShiftAuthManager.properties",
+			ReadOnly:  true,
+		})
+	}
+
 	if !cr.Spec.Minimal {
 		grafanaVars := []corev1.EnvVar{
 			{

diff --git a/internal/controllers/cryostat_controller_test.go b/internal/controllers/cryostat_controller_test.go
@@ -1297,6 +1297,17 @@ var _ = Describe("CryostatController", func() {
 				})
 			})
 		})
+		Context("Cryostat CR has OAuth properties", func() {
+			BeforeEach(func() {
+				t.objs = append(t.objs, test.NewCryostatWithAuthProperties(), test.NewAuthPropertiesConfigMap())
+			})
+			JustBeforeEach(func() {
+				t.reconcileCryostatFully()
+			})
+			It("Should add volumes and volumeMounts to deployment", func() {
+				t.checkDeploymentHasOAuthProperties()
+			})
+		})
 	})
 	Describe("reconciling a request in Kubernetes", func() {
 		JustBeforeEach(func() {
@@ -1418,6 +1429,17 @@ var _ = Describe("CryostatController", func() {
 				Expect(kerrors.IsNotFound(err)).To(BeTrue())
 			})
 		})
+		Context("Cryostat CR has OAuth properties", func() {
+			BeforeEach(func() {
+				t.objs = append(t.objs, test.NewCryostatWithAuthProperties(), test.NewAuthPropertiesConfigMap())
+			})
+			JustBeforeEach(func() {
+				t.reconcileCryostatFully()
+			})
+			It("Should add volumes and volumeMounts to deployment", func() {
+				t.checkDeploymentHasOAuthProperties()
+			})
+		})
 	})
 })
 
@@ -2053,6 +2075,20 @@ func (t *cryostatTestInput) checkDeploymentHasTemplates() {
 	Expect(volumeMounts).To(Equal(expectedVolumeMounts))
 }
 
+func (t *cryostatTestInput) checkDeploymentHasOAuthProperties() {
+	deployment := &appsv1.Deployment{}
+	err := t.Client.Get(context.Background(), types.NamespacedName{Name: "cryostat", Namespace: "default"}, deployment)
+	Expect(err).ToNot(HaveOccurred())
+
+	volumes := deployment.Spec.Template.Spec.Volumes
+	expectedVolumes := test.NewVolumeWithAuthProperties(t.TLS)
+	Expect(volumes).To(ConsistOf(expectedVolumes))
+
+	volumeMounts := deployment.Spec.Template.Spec.Containers[0].VolumeMounts
+	expectedVolumeMounts := test.NewVolumeMountsWithAuthProperties(t.TLS)
+	Expect(volumeMounts).To(ConsistOf(expectedVolumeMounts))
+}
+
 func checkCoreContainer(container *corev1.Container, minimal bool, tls bool, externalTLS bool,
 	tag *string, openshift bool, reportsUrl string, resources corev1.ResourceRequirements) {
 	Expect(container.Name).To(Equal("cryostat"))

diff --git a/internal/test/resources.go b/internal/test/resources.go
@@ -369,6 +369,15 @@ func NewCryostatWithResources() *operatorv1beta1.Cryostat {
 	return cr
 }
 
+func NewCryostatWithAuthProperties() *operatorv1beta1.Cryostat {
+	cr := NewCryostat()
+	cr.Spec.AuthProperties = operatorv1beta1.AuthPropertiesConfigMap{
+		ConfigMapName: "authConfigMapName",
+		Filename:      "auth.properties",
+	}
+	return cr
+}
+
 func newPVCSpec(storageClass string, storageRequest string,
 	accessModes ...corev1.PersistentVolumeAccessMode) *corev1.PersistentVolumeClaimSpec {
 	return &corev1.PersistentVolumeClaimSpec{
@@ -1576,6 +1585,16 @@ func NewVolumeMountsWithTemplates(tls bool) []corev1.VolumeMount {
 		})
 }
 
+func NewVolumeMountsWithAuthProperties(tls bool) []corev1.VolumeMount {
+	return append(NewCoreVolumeMounts(tls),
+		corev1.VolumeMount{
+			Name:      "auth-properties-authConfigMapName",
+			ReadOnly:  true,
+			MountPath: "/app/resources/io/cryostat/net/openshift/OpenShiftAuthManager.properties",
+			SubPath:   "OpenShiftAuthManager.properties",
+		})
+}
+
 func NewCoreLivenessProbe(tls bool) *corev1.Probe {
 	return &corev1.Probe{
 		ProbeHandler: newCoreProbeHandler(tls),
@@ -1781,6 +1800,29 @@ func NewVolumesWithTemplates(tls bool) []corev1.Volume {
 		})
 }
 
+func NewVolumeWithAuthProperties(tls bool) []corev1.Volume {
+	readOnlyMode := int32(0440)
+	return append(NewVolumes(false, tls),
+		corev1.Volume{
+			Name: "auth-properties-authConfigMapName",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "authConfigMapName",
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "auth.properties",
+							Path: "OpenShiftAuthManager.properties",
+							Mode: &readOnlyMode,
+						},
+					},
+				},
+			},
+		},
+	)
+}
+
 func newVolumes(minimal bool, tls bool, certProjections []corev1.VolumeProjection) []corev1.Volume {
 	readOnlymode := int32(0440)
 	volumes := []corev1.Volume{
@@ -2254,6 +2296,18 @@ func NewOtherTemplateConfigMap() *corev1.ConfigMap {
 	}
 }
 
+func NewAuthPropertiesConfigMap() *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "authConfigMapName",
+			Namespace: "default",
+		},
+		Data: map[string]string{
+			"auth.properties": "CRYOSTAT_RESOURCE=K8S_RESOURCE\nANOTHER_CRYOSTAT_RESOURCE=ANOTHER_K8S_RESOURCE",
+		},
+	}
+}
+
 func NewNamespace() *corev1.Namespace {
 	return &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{