add authentication policy on deployer

cyrildiagne · Jan 5, 2020 · 660e8e5 · 660e8e5
1 parent 0dfb492
commit 660e8e5
Show file tree

Hide file tree

Showing 9 changed files with 194 additions and 15 deletions.
diff --git a/cli/cmd/deploy.go b/cli/cmd/deploy.go
@@ -107,19 +107,25 @@ func deployWithRemote(manifest *latest.Manifest, dryRun bool) error {
 	url := cfg.Deployer.Remote.DeployerURL
 	req, err := http.NewRequest("POST", url, body)
 	req.Header.Set("Content-Type", writer.FormDataContentType())
+	accessToken := "Bearer " + cfg.Deployer.Remote.User.Token.AccessToken
+	req.Header.Set("Authorization", accessToken)
 
 	client := &http.Client{}
 	resp, err := client.Do(req)
 	if err != nil {
-		panic(err)
+		return err
 	}
 	defer resp.Body.Close()
 
 	// Check response.
 	respBody, _ := ioutil.ReadAll(resp.Body)
 	if resp.StatusCode != 200 {
+		fmt.Println("Sending to deployer returned an error:")
 		fmt.Println(resp.Status)
 		fmt.Println(string(respBody))
+		if resp.StatusCode == 401 {
+			fmt.Println("Try authenticating again running 'kuda init <args>'.")
+		}
 		return fmt.Errorf("error with remote deployer")
 	}
 	fmt.Println(string(respBody))

diff --git a/docs/install_on_gcp.md b/docs/install_on_gcp.md
@@ -45,7 +45,7 @@ You must have a real domain name (not xip.io auto-domain) to enable HTTPS.
 The helper script enables HTTPS using [CloudDNS](#), [Let's Encrypt](#) and [cert-manager](#). Adapt the ClusterIssuer manifest if you are using a different DNS.
 
 ```bash
-export KUDA_PROJECT_ID=your-gcp-project
+export KUDA_GCP_PROJECT=your-gcp-project
 export KUDA_DOMAIN=example.com
 export KUDA_NAMESPACE=default
 export [email protected]

diff --git a/images/deployer/.gitignore b/images/deployer/.gitignore
@@ -1 +1,2 @@
-service.yaml
+service.yaml
+service-workaround.yaml
diff --git a/images/deployer/Dockerfile b/images/deployer/Dockerfile
@@ -12,10 +12,7 @@ COPY go.mod go.sum /go/src/github.com/cyrildiagne/kuda/
 WORKDIR /go/src/github.com/cyrildiagne/kuda
 RUN go mod download
 
-COPY pkg/config /go/src/github.com/cyrildiagne/kuda/pkg/config
-COPY pkg/manifest /go/src/github.com/cyrildiagne/kuda/pkg/manifest
-COPY pkg/utils /go/src/github.com/cyrildiagne/kuda/pkg/utils
-COPY pkg/deployer /go/src/github.com/cyrildiagne/kuda/pkg/deployer
+COPY pkg ./pkg
 WORKDIR /go/src/github.com/cyrildiagne/kuda/pkg/deployer
 RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux go build -installsuffix cgo -o deployer .
 

diff --git a/images/deployer/README.md b/images/deployer/README.md
@@ -24,24 +24,24 @@ docker run --rm \
 ### 1) Create service account and bind roles.
 
 ```bash
-KUDA_PROJECT_ID="your-project-id"
-KUDA_DEPLOYER_SA=kuda-deployer
-KUDA_DEPLOYER_SA_EMAIL=$KUDA_DEPLOYER_SA@$KUDA_PROJECT_ID.iam.gserviceaccount.com
+export KUDA_GCP_PROJECT="your-project-id"
+export KUDA_DEPLOYER_SA=kuda-deployer
+export KUDA_DEPLOYER_SA_EMAIL=$KUDA_DEPLOYER_SA@$KUDA_GCP_PROJECT.iam.gserviceaccount.com
 
 # Create the service account.
-gcloud --project $KUDA_PROJECT_ID iam service-accounts \
+gcloud --project $KUDA_GCP_PROJECT iam service-accounts \
       create $KUDA_DEPLOYER_SA \
       --display-name "Service Account for the deployer."
 
 # Bind the role dns.admin to this service account, so it can be used to support
 # the ACME DNS01 challenge.
-gcloud projects add-iam-policy-binding $KUDA_PROJECT_ID \
+gcloud projects add-iam-policy-binding $KUDA_GCP_PROJECT \
   --member serviceAccount:$KUDA_DEPLOYER_SA_EMAIL \
   --role roles/container.developer
-gcloud projects add-iam-policy-binding $KUDA_PROJECT_ID \
+gcloud projects add-iam-policy-binding $KUDA_GCP_PROJECT \
   --member serviceAccount:$KUDA_DEPLOYER_SA_EMAIL \
   --role roles/storage.objectCreator
-gcloud projects add-iam-policy-binding $KUDA_PROJECT_ID \
+gcloud projects add-iam-policy-binding $KUDA_GCP_PROJECT \
   --member serviceAccount:$KUDA_DEPLOYER_SA_EMAIL \
   --role roles/cloudbuild.builds.builder
 ```
@@ -68,7 +68,7 @@ rm -rf $KEY_DIRECTORY
 
 ```bash
 cp service.tpl.yaml service.yaml
-sed -i'.bak' "s/value: <your-project-id>/value: $KUDA_PROJECT_ID/g" service.yaml
+sed -i'.bak' "s/value: <your-project-id>/value: $KUDA_GCP_PROJECT/g" service.yaml
 rm service.yaml.bak
 ```
 

diff --git a/images/deployer/service-workaround.tpl.yaml b/images/deployer/service-workaround.tpl.yaml
@@ -0,0 +1,101 @@
+# Workaround "native" istio service since there is an issue with Knative and
+# istio's policy not being applied.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployer
+  namespace: kuda
+spec:
+  selector:
+    matchLabels:
+      app: deployer
+  template:
+    metadata:
+      labels:
+        app: deployer
+    spec:
+      containers:
+        - image: gcr.io/kuda-project/deployer
+          name: deployer
+          volumeMounts:
+            - name: secret
+              readOnly: true
+              mountPath: "/secret"
+          env:
+            - name: PORT
+              value: "80"
+            - name: KUDA_GCP_PROJECT
+              value: $KUDA_GCP_PROJECT
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: /secret/key.json
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: secret
+          secret:
+            secretName: deployer-credentials
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: deployer
+  namespace: kuda
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+  selector:
+    app: deployer
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: deployer-vservice
+  namespace: kuda
+spec:
+  hosts:
+    - deployer.kuda
+    - deployer.kuda.$KUDA_DOMAIN
+    - deployer.kuda.svc
+    - deployer.kuda.svc.cluster.local
+  gateways:
+    - deployer-gw
+  http:
+    - route:
+        - destination:
+            host: deployer
+            port:
+              number: 80
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: deployer-gw
+  namespace: kuda
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - deployer.kuda
+        - deployer.kuda.$KUDA_DOMAIN
+        - deployer.kuda.svc
+        - deployer.kuda.svc.cluster.local
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        privateKey: /etc/istio/ingressgateway-certs/tls.key
+        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+      hosts:
+        - deployer.kuda
+        - deployer.kuda.$KUDA_DOMAIN
+        - deployer.kuda.svc
+        - deployer.kuda.svc.cluster.local
diff --git a/images/deployer/service.tpl.yaml b/images/deployer/service.tpl.yaml
@@ -5,6 +5,10 @@ metadata:
   namespace: kuda
 spec:
   template:
+    metadata:
+      annotations:
+        readiness.status.sidecar.istio.io/applicationPorts: ""
+        sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
       containers:
         - image: gcr.io/kuda-project/deployer

diff --git a/scripts/setup_auth_policy.sh b/scripts/setup_auth_policy.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Make sure you've configured the auth module before running this script
+# otherwise you won't be able to the access services in the kuda namespace.
+
+set -e
+
+source "$(dirname $BASH_SOURCE)/utils.sh"
+
+# If using Firebase / Cloud Identity as authentication provider.
+FIREBASE_JWT_ISSUER="https://securetoken.google.com/$KUDA_GCP_PROJECT"
+FIREBASE_JWT_URI="https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
+
+export KUDA_JWT_ISSUER="${KUDA_JWT_ISSUER:-$FIREBASE_JWT_ISSUER}"
+export KUDA_JWT_URI="${KUDA_JWT_URI:-$FIREBASE_JWT_URI}"
+
+assert_set KUDA_GCP_PROJECT $KUDA_GCP_PROJECT
+assert_set KUDA_JWT_ISSUER $KUDA_JWT_ISSUER
+assert_set KUDA_JWT_URI $KUDA_JWT_URI
+
+function setup_deployer_auth_policy() {
+  echo "Adding istio authentication policy for deployer..."
+
+  kubectl apply -f - <<EOF
+apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+  name: deployer-origin-auth
+  namespace: kuda
+spec:
+  targets:
+  - name: deployer
+    ports:
+    - number: 80
+    - number: 443
+  origins:
+  - jwt:
+      issuer: $KUDA_JWT_ISSUER
+      audiences:
+      - "$KUDA_GCP_PROJECT"
+      jwksUri: "$KUDA_JWT_URI"
+      triggerRules:
+      - excluded_paths:
+        - prefix: /metrics
+        - prefix: /healthz
+  principalBinding: USE_ORIGIN
+EOF
+}
+
+setup_deployer_auth_policy
diff --git a/scripts/utils.sh b/scripts/utils.sh
@@ -0,0 +1,20 @@
+bold="\033[1m"
+blue="\e[36m"
+green="\033[32m"
+red="\033[31m"
+reset="\033[0m"
+
+function error() {
+  printf "${red}ERROR:${reset} $1\n"
+}
+
+function assert_set() {
+  var_name=$1
+  var_value=$2
+  if [ -z "$var_value" ]; then
+    error "Missing required env variable $var_name"
+    exit 1
+  else
+    printf "$var_name: ${blue}$var_value${reset}\n"
+  fi
+}