wip

Author: yzamir

api/v1beta1/gateserver_types.go

@@ -28,6 +28,14 @@ type GateServerSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
+	// img is the kube-gateway image to use.
+	// Defalut value is "quay.io/yaacov/kube-gateway:latest".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Type="string"
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:default:="quay.io/kubevirt-ui/kube-gateway:latest"
+	IMG string `json:"img,omitempty"`
+
 	// api-url is the k8s API url.
 	// Defalut value is "https://kubernetes.default.svc".
 	// +kubebuilder:validation:Optional
@@ -66,13 +74,6 @@ type GateServerSpec struct {
 	// +kubebuilder:validation:MaxLength=1024
 	// +kubebuilder:default:=""
 	AdminResources string `json:"admin-resources,omitempty"`
-
-	// passthrough the tokens aquired from OAuth2 server directly to k8s API
-	// +optional
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Type="boolean"
-	// +kubebuilder:default:=false
-	PassThrough bool `json:"passthrough,omitempty"`
 }
 
 // GateServerStatus defines the observed state of GateServer

api/v1beta1/gatetoken_types.go

@@ -25,30 +25,28 @@ import (
 
 // GateTokenCache stores initial token data
 type GateTokenCache struct {
-	From        string `json:"from"`
-	Until       string `json:"until"`
-	DurationSec int64  `json:"duration-sec"`
-	NBf         int64  `json:"nbf"`
-	Exp         int64  `json:"exp"`
-	MatchMethod string `json:"matchMethod"`
-	MatchPath   string `json:"matchPath"`
-	Alg         string `json:"alg"`
+	From     string   `json:"from"`
+	Until    string   `json:"until"`
+	Duration string   `json:"duration"`
+	NBf      int64    `json:"nbf"`
+	Exp      int64    `json:"exp"`
+	Verbs    []string `json:"verbs"`
+	URLs     []string `json:"urls"`
 }
 
 // GateTokenSpec defines the desired state of GateToken
 type GateTokenSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// match-path is a regular expresion used to validate API request path,
-	// API requests matching this pattern will be validated by the token.
+	// urls is a list of urls used to validate API request path,
+	// API requests matching one pattern will be validated by the token.
 	// This field may not be empty.
 	// +required
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Type="string"
-	// +kubebuilder:validation:Pattern="^[/^][^:@]+$"
-	// +kubebuilder:validation:MaxLength=1024
-	MatchPath string `json:"match-path"`
+	// +kubebuilder:validation:MaxItems=500
+	// +kubebuilder:validation:MinItems=1
+	URLs []string `json:"urls"`
 
 	// from is time of token invocation, the token will not validate before this time,
 	// the token duration will start from this time.
@@ -58,23 +56,34 @@ type GateTokenSpec struct {
 	// +kubebuilder:validation:Format="date-time"
 	From string `json:"from"`
 
-	// duration-sec is the duration in sec the token will be validated since it's invocation.
-	// Defalut value is 3600s (1h).
+	// duration is the duration the token will be validated since it's invocation.
+	// Defalut value is "1h".
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Type="integer"
-	// +kubebuilder:validation:Minimum=0
-	// +kubebuilder:default:=3600
-	DurationSec int64 `json:"duration-sec"`
+	// +kubebuilder:validation:Type="string"
+	// +kubebuilder:default:="1h"
+	Duration string `json:"duration"`
 
-	// match-path is a comma separated list of allowed http methods,
+	// verbs is a comma separated list of allowed http methods,
 	// only API requests matching one of the allowed methods will be validated.
-	// Defalut value is "GET,OPTIONS".
+	// Defalut value is "[GET,OPTIONS]".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:MaxItems=500
+	// +kubebuilder:validation:MinItems=1
+	Verbs []string `json:"verbs"`
+
+	// secret-name is the name of the secret holding the private key used to sign the token.
+	// Defalut value is "kube-gateway-secret".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Type="string"
+	// +kubebuilder:default:="1h"
+	SecretName string `json:"secret-name"`
+
+	// secret-namspace is the namespace of the secret holding the private key used to sign the token.
+	// Defalut value is "kube-gateway".
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Type="string"
-	// +kubebuilder:validation:Pattern="^(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE)+(,(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE)+)*$"
-	// +kubebuilder:validation:MaxLength=1024
-	// +kubebuilder:default:="GET,OPTIONS"
-	MatchMethod string `json:"match-method"`
+	// +kubebuilder:default:="1h"
+	SecretNamespace string `json:"secret-namespace"`
 }
 
 // GateTokenStatus defines the observed state of GateToken

api/v1beta1/zz_generated.deepcopy.go

@@ -60,11 +60,12 @@ spec:
                 maxLength: 1024
                 pattern: ^(http|https)://.*
                 type: string
-              passthrough:
-                default: false
-                description: passthrough the tokens aquired from OAuth2 server directly
-                  to k8s API
-                type: boolean
+              img:
+                default: quay.io/kubevirt-ui/kube-gateway:latest
+                description: img is the kube-gateway image to use. Defalut value is
+                  "quay.io/yaacov/kube-gateway:latest".
+                maxLength: 1024
+                type: string
               route:
                 description: route for the gate proxy server.
                 maxLength: 226

config/crd/bases/ocgate.yaacov.com_gateservers.yaml

@@ -36,36 +36,47 @@ spec:
           spec:
             description: GateTokenSpec defines the desired state of GateToken
             properties:
-              duration-sec:
-                default: 3600
-                description: duration-sec is the duration in sec the token will be
-                  validated since it's invocation. Defalut value is 3600s (1h).
-                format: int64
-                minimum: 0
-                type: integer
+              duration:
+                default: 1h
+                description: duration is the duration the token will be validated
+                  since it's invocation. Defalut value is "1h".
+                type: string
               from:
                 description: from is time of token invocation, the token will not
                   validate before this time, the token duration will start from this
                   time. Defalut to token object creation time.
                 format: date-time
                 type: string
-              match-method:
-                default: GET,OPTIONS
-                description: match-path is a comma separated list of allowed http
-                  methods, only API requests matching one of the allowed methods will
-                  be validated. Defalut value is "GET,OPTIONS".
-                maxLength: 1024
-                pattern: ^(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE)+(,(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE)+)*$
+              secret-name:
+                default: 1h
+                description: secret-name is the name of the secret holding the private
+                  key used to sign the token. Defalut value is "kube-gateway-secret".
                 type: string
-              match-path:
-                description: match-path is a regular expresion used to validate API
-                  request path, API requests matching this pattern will be validated
-                  by the token. This field may not be empty.
-                maxLength: 1024
-                pattern: ^[/^][^:@]+$
+              secret-namespace:
+                default: 1h
+                description: secret-namspace is the namespace of the secret holding
+                  the private key used to sign the token. Defalut value is "kube-gateway".
                 type: string
+              urls:
+                description: urls is a list of urls used to validate API request path,
+                  API requests matching one pattern will be validated by the token.
+                  This field may not be empty.
+                items:
+                  type: string
+                maxItems: 500
+                minItems: 1
+                type: array
+              verbs:
+                description: verbs is a comma separated list of allowed http methods,
+                  only API requests matching one of the allowed methods will be validated.
+                  Defalut value is "[GET,OPTIONS]".
+                items:
+                  type: string
+                maxItems: 500
+                minItems: 1
+                type: array
             required:
-            - match-path
+            - urls
             type: object
           status:
             description: GateTokenStatus defines the observed state of GateToken
@@ -144,34 +155,34 @@ spec:
               data:
                 description: Cached data, once created, user can not change this valuse
                 properties:
-                  alg:
+                  duration:
                     type: string
-                  duration-sec:
-                    format: int64
-                    type: integer
                   exp:
                     format: int64
                     type: integer
                   from:
                     type: string
-                  matchMethod:
-                    type: string
-                  matchPath:
-                    type: string
                   nbf:
                     format: int64
                     type: integer
                   until:
                     type: string
+                  urls:
+                    items:
+                      type: string
+                    type: array
+                  verbs:
+                    items:
+                      type: string
+                    type: array
                 required:
-                - alg
-                - duration-sec
+                - duration
                 - exp
                 - from
-                - matchMethod
-                - matchPath
                 - nbf
                 - until
+                - urls
+                - verbs
                 type: object
               phase:
                 description: Token generation phase (ready|error)

config/crd/bases/ocgate.yaacov.com_gatetokens.yaml

@@ -363,7 +363,7 @@ func (r *GateServerReconciler) serviceaccount(s *ocgatev1beta1.GateServer) (*cor
 		},
 		Secrets: []corev1.ObjectReference{
 			{
-				Name: fmt.Sprintf("%s-jwt-secret", s.Name),
+				Name: fmt.Sprintf("%s-secret", s.Name),
 			},
 		},
 	}
@@ -441,7 +441,7 @@ func (r *GateServerReconciler) rolebinding(s *ocgatev1beta1.GateServer) (*rbacv1
 }
 
 func (r *GateServerReconciler) deployment(s *ocgatev1beta1.GateServer) (*appsv1.Deployment, error) {
-	image := "quay.io/yaacov/oc-gate:latest"
+	image := s.Spec.IMG
 	replicas := int32(1)
 	labels := map[string]string{
 		"app": s.Name,
@@ -468,53 +468,43 @@ func (r *GateServerReconciler) deployment(s *ocgatev1beta1.GateServer) (*appsv1.
 				Spec: corev1.PodSpec{
 					Containers: []corev1.Container{{
 						Image: image,
-						Name:  "oc-gate",
+						Name:  "kube-gateway",
 
 						Ports: []corev1.ContainerPort{{
 							ContainerPort: 8080,
-							Name:          "oc-gate-https",
+							Name:          "https",
 						}},
 						VolumeMounts: []corev1.VolumeMount{
 							{
-								Name:      "oc-gate-secret",
-								MountPath: "/secrets",
-							},
-							{
-								Name:      "oc-gate-jwt-secret",
-								MountPath: "/jwt-secret",
+								Name:      "serving-cert",
+								MountPath: "/var/run/secrets/serving-cert",
 							},
 						},
 						Command: []string{
-							"./oc-gate",
-							fmt.Sprintf("-api-server=%s", s.Spec.APIURL),
-							"-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt",
-							"-cert-file=/secrets/tls.crt",
-							"-key-file=/secrets/tls.key",
-							fmt.Sprintf("-base-address=https://%s", s.Spec.Route),
-							"-listen=https://0.0.0.0:8080",
-							"-jwt-token-key-file=/jwt-secret/cert.pem",
-							"-k8s-bearer-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
-							fmt.Sprintf("-k8s-bearer-token-passthrough=%v", s.Spec.PassThrough),
+							"./kube-gateway",
+							"-api-server=https://kubernetes.default.svc",
+							"-gateway-listen=https://0.0.0.0:8080",
+							"-api-server-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+							"-api-server-bearer-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+							"-gateway-key-file=/var/run/secrets/serving-cert/tls.key",
+							"-gateway-cert-file=/var/run/secrets/serving-cert/tls.crt",
+							fmt.Sprintf("-jwt-public-key-name=%s-secret", s.Name),
+							fmt.Sprintf("-jwt-public-key-namespace=%s", s.Namespace),
+							"-jwt-request-enable=true",
+							fmt.Sprintf("-jwt-private-key-name=%s-secret", s.Name),
+							fmt.Sprintf("-jwt-private-key-namespace=%s", s.Namespace),
 						},
 					}},
 
 					Volumes: []corev1.Volume{
 						{
-							Name: "oc-gate-secret",
+							Name: "serving-cert",
 							VolumeSource: corev1.VolumeSource{
 								Secret: &corev1.SecretVolumeSource{
 									SecretName: fmt.Sprintf("%s-secret", s.Name),
 								},
 							},
 						},
-						{
-							Name: "oc-gate-jwt-secret",
-							VolumeSource: corev1.VolumeSource{
-								Secret: &corev1.SecretVolumeSource{
-									SecretName: "oc-gate-jwt-secret",
-								},
-							},
-						},
 					},
 
 					ServiceAccountName: s.Name,