Enables the bypassing of authentication for health check endpoint

This allows the health check endpoint to be accessible to large-scale monitoring tools.

Prior to this, all URL routes require mutual TLS authentication and all but the /health route
requires HTTP Basic authentication. The /health route potentially prompts for HTTP Basic, but
does not enforce it.

When the `NOAUTH_ROUTES` environment variable is correctly configured, the server's TLS
configuration is reduced to verifying presented client certificates if presented vice both
requiring and verifying client certificates.

For all protected routes, the existence of verified client certificates is confirmed or a
"HTTP Forbidden" status is returned.

For noauth routes, that verified certificate check is skipped.

At this time, only the /health endpoint is allowed to be a noauth route. Enabling future endpoints
will require they remove dependencies on the username returned from HTTP Basic
authentication. /health already had no dependency and no validation prior to this change.

Author: wilybrace

apiserver.go

@@ -22,6 +22,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/crunchydata/postgres-operator/apiserver"
@@ -51,9 +52,10 @@ import (
 	"github.com/crunchydata/postgres-operator/apiserver/userservice"
 	"github.com/crunchydata/postgres-operator/apiserver/versionservice"
 	"github.com/crunchydata/postgres-operator/apiserver/workflowservice"
+	crunchylog "github.com/crunchydata/postgres-operator/logging"
+
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
-	crunchylog "github.com/crunchydata/postgres-operator/logging"
 )
 
 const serverCertPath = "/tmp/server.crt"
@@ -98,6 +100,8 @@ func main() {
 	}
 	disableTLS, _ := strconv.ParseBool(tmp)
 
+	skipAuthRoutes := strings.TrimSpace(os.Getenv("NOAUTH_ROUTES"))
+
 	log.Infoln("postgres-operator apiserver starts")
 
 	apiserver.Initialize()
@@ -181,6 +185,18 @@ func main() {
 	r.HandleFunc("/benchmarkdelete", benchmarkservice.DeleteBenchmarkHandler).Methods("POST")
 	r.HandleFunc("/benchmarkshow", benchmarkservice.ShowBenchmarkHandler).Methods("POST")
 
+	// Optionally lighten mTLS requirement if some paths don't require certs
+	certsVerify := tls.RequireAndVerifyClientCert
+	if !disableTLS && len(skipAuthRoutes) > 0 {
+		certsVerify = tls.VerifyClientCertIfGiven
+		optCertEnforcer, err := apiserver.NewCertEnforcer(strings.Split(skipAuthRoutes, ","))
+		if err != nil {
+			log.Fatalf("NOAUTH_ROUTES configured incorrectly: %s", err)
+			os.Exit(2)
+		}
+		r.Use(optCertEnforcer.Enforce)
+	}
+
 	err := apiserver.GetTLS(serverCertPath, serverKeyPath)
 	if err != nil {
 		log.Fatal(err)
@@ -199,9 +215,9 @@ func main() {
 	caCertPool.AppendCertsFromPEM(caCert)
 
 	cfg := &tls.Config{
-		ClientAuth: tls.RequireAndVerifyClientCert,
 		//specify pgo-apiserver in the CN....then, add ServerName: "pgo-apiserver",
 		ServerName:         "pgo-apiserver",
+		ClientAuth:         certsVerify,
 		InsecureSkipVerify: tlsNoVerify,
 		ClientCAs:          caCertPool,
 		MinVersion:         tls.VersionTLS11,

apiserver/middleware.go

@@ -0,0 +1,69 @@
+package apiserver
+
+/*
+Copyright 2019 Crunchy Data Solutions, Inc.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+// certEnforcer is a contextual middleware for deferred enforcement of
+// client certificates. It assumes any certificates presented where validated
+// as part of establishing the TLS connection.
+type certEnforcer struct {
+	skip map[string]struct{}
+}
+
+// NewCertEnforcer ensures a certEnforcer is created with skipped routes
+// and validates that the configured routes are allowed
+func NewCertEnforcer(reqRoutes []string) (*certEnforcer, error) {
+	allowed := map[string]struct{}{
+		// List of allowed routes is part of the published documentation
+		"/health": struct{}{},
+	}
+
+	ce := &certEnforcer{
+		skip: map[string]struct{}{},
+	}
+
+	for _, route := range reqRoutes {
+		r := strings.TrimSpace(route)
+		if _, ok := allowed[r]; !ok {
+			return nil, fmt.Errorf("Disabling auth unsupported for route [%s]", r)
+		}
+		ce.skip[r] = struct{}{}
+	}
+	return ce, nil
+}
+
+// Enforce is an HTTP middleware for selectively enforcing deferred client
+// certificate checks based on the certEnforcer's skip list
+func (ce *certEnforcer) Enforce(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		path := r.URL.Path
+		if _, ok := ce.skip[path]; ok {
+			next.ServeHTTP(w, r)
+		} else {
+			clientCerts := len(r.TLS.PeerCertificates) > 0
+			if !clientCerts {
+				http.Error(w, "Forbidden: Client Certificate Required", http.StatusForbidden)
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		}
+	})
+}

apiserver/versionservice/versionservice.go

@@ -44,8 +44,6 @@ func VersionHandler(w http.ResponseWriter, r *http.Request) {
 
 // HealthHandler ...
 func HealthHandler(w http.ResponseWriter, r *http.Request) {
-
-	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 

hugo/content/Configuration/configuration.md

@@ -52,6 +52,55 @@ Files within this directory are used specifically when creating PostgreSQL Clust
 
 As with the other Operator templates, administrators can make custom changes to this set of templates to add custom features or metadata into the Resources created by the Operator.
 
+## Operator API Server
+
+The Operator's API server can be configured to allow access to select URL routes
+without requiring TLS authentication from the client and without
+the HTTP Basic authentication used for role-based-access.
+
+This configuration is performed by defining the `NOAUTH_ROUTES` environment
+variable for the apiserver container within the Operator pod. 
+
+Typically, this configuration is made within the `deploy/deployment.json` 
+file for bash-based installations and 
+`ansible/roles/pgo-operator/templates/deployment.json.j2` for ansible installations.
+
+For example:
+```
+...
+    containers: [
+        {
+        	"name": "apiserver"
+        	"env": [
+                {
+                	"name": "NOAUTH_ROUTES",
+                	"value": "/health"
+                }
+        	]
+        	...
+        }
+        ...
+    ]
+...
+```
+
+The `NOAUTH_ROUTES` variable must be set to a comma-separated list of
+URL routes. For example: `/health,/version,/example3` would opt to **disable**
+authentication for `$APISERVER_URL/health`, `$APISERVER_URL/version`, and
+`$APISERVER_URL/example3` respectively.
+
+Currently, only the following routes may have authentication disabled using
+this setting:
+
+```
+/health
+```
+
+If the health route has its authentication disabled, the existing readiness 
+and liveness probes for the apiserver container could be enhanced by 
+configuring them with HTTP-based checks against the health route.
+
+
 ## Security
 
 Setting up pgo users and general security configuration is described in the [Security](/security) section of this documentation.