Use auth-realm annotations instead of labels. (#7)

Labels have more restrictive value validation than annotations,
so switch to annotations for specifying the basic authentication
realm and type.  To make up for the use of annotations, add a
label selector flag so that operators can filter which Secrets
to actually use.

This fixes #4.

Signed-off-by: James Peach <jpeach@vmware.com>

Author: jpeach

README.md

@@ -41,6 +41,7 @@ Flags:
       --auth-realm string          Basic authentication realm. (default "default")
   -h, --help                       help for htpasswd
       --metrics-address string     The address the metrics endpoint binds to. (default ":8080")
+      --selector string            Selector (label-query) to filter Secrets, supports '=', '==', and '!='.
       --tls-ca-path string         Path to the TLS CA certificate bundle.
       --tls-cert-path string       Path to the TLS server certificate.
       --tls-key-path string        Path to the TLS server key.
@@ -55,14 +56,25 @@ The htpasswd data must be stored in the `data` key, which is compatible
 with ingress-nginx [`auth-file` Secrets][2].
 
 The `htpasswd` backend only accesses Secrets that are
-labeled with `projectcontour.io/auth-type: basic`. If the
-only be used if its value matches the value of the `--auth-realm` flag.
-The label `projectcontour.io/auth-realm: *` can be used to specify that a
-Secret can be used for all realms.
+annotated with `projectcontour.io/auth-type: basic`.
 
-When it authenticates a request, the `htpassd` backend injects the
+Secrets that are annotated with the `projectcontour.io/auth-realm`
+will only be used if the annotation value matches the value of the
+`--auth-realm` flag.
+The `projectcontour.io/auth-realm: *` annotation explicitly marks
+a Secret as being valid for all realms.
+This is equivalent to omitting the annotation.
+
+When it authenticates a request, the `htpasswd` backend injects the
 `Auth-Username` and  `Auth-Realm` headers, which contain the
-authenticated user name basic authentication nd realm.
+authenticated user name and the basic authentication realm respectively.
+
+The `--watch-namespaces` flag specifies the namespaces where the
+`htpasswd` backend will discover Secrets.
+If this flag is empty, Secrets from all namespaces will be used.
+
+The `--selector` flag accepts a [label selector][5] that can be
+used to further restrict which Secrets the `htpasswd` backend will consume.
 
 # Request Headers
 
@@ -79,8 +91,8 @@ does.)
 
 # Deploying `contour-authserver`
 
-The recommended way to deploe `contour-authserver` is to use the Kustomize
-[deployment YAML](./config/default). This sill deploy services for both
+The recommended way to deploy `contour-authserver` is to use the Kustomize
+[deployment YAML](./config/default). This will deploy services for both
 the `testserver` and `htpasswd` backends. For developer deployments,
 [Skaffold](https://skaffold.dev/) seems to work reasonably well.
 
@@ -90,3 +102,4 @@ There are no versioned releases or container images yet.
 [2]: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#authentication
 [3]: https://tools.ietf.org/html/rfc7617
 [4]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter
+[5]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors

pkg/auth/htpasswd.go

@@ -23,15 +23,16 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/tg123/go-htpasswd"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
-	// LabelAuthType labels Secrets that can be used for basic Auth.
-	LabelAuthType = "projectcontour.io/auth-type"
-	// LabelAuthRealm labels Secrets that match our authentication realm
-	LabelAuthRealm = "projectcontour.io/auth-realm"
+	// AnnotationAuthType labels Secrets that can be used for basic Auth.
+	AnnotationAuthType = "projectcontour.io/auth-type"
+	// AnnotationAuthRealm labels Secrets that match our authentication realm
+	AnnotationAuthRealm = "projectcontour.io/auth-realm"
 )
 
 // Htpasswd watches Secrets for htpasswd files and uses them for HTTP Basic Authentication.
@@ -40,6 +41,7 @@ type Htpasswd struct {
 	Realm     string
 	Client    client.Client
 	Passwords *htpasswd.File
+	Selector  labels.Selector
 
 	Lock sync.Mutex
 }
@@ -126,22 +128,33 @@ func (h *Htpasswd) Check(ctx context.Context, request *Request) (*Response, erro
 
 // Reconcile ...
 func (h *Htpasswd) Reconcile(ctrl.Request) (ctrl.Result, error) {
-	// First, find all the basic auth secrets for this realm.
+	var opts []client.ListOption
+
+	if h.Selector != nil {
+		opts = append(opts, client.MatchingLabelsSelector{Selector: h.Selector})
+	}
+
+	// First, find all the auth secrets for this realm.
 	secrets := &v1.SecretList{}
-	if err := h.Client.List(context.Background(), secrets,
-		client.MatchingLabels{LabelAuthType: "basic"},
-		client.HasLabels{LabelAuthRealm}); err != nil {
+	if err := h.Client.List(context.Background(), secrets, opts...); err != nil {
 		return ctrl.Result{}, err
 	}
 
 	passwdData := bytes.Buffer{}
 
 	for _, s := range secrets.Items {
-		if s.Labels[LabelAuthRealm] != h.Realm &&
-			s.Labels[LabelAuthRealm] != "*" {
+		// Only look at basic auth secrets.
+		if s.Annotations[AnnotationAuthType] != "basic" {
 			continue
 		}
 
+		// Accept the secret if it is for our realm or for any realm.
+		if realm := s.Annotations[AnnotationAuthRealm]; realm != "" {
+			if realm != h.Realm && realm != "*" {
+				continue
+			}
+		}
+
 		// Check for the "auth" key, which is the format used by ingress-nginx.
 		authData, ok := s.Data["auth"]
 		if !ok {

pkg/auth/htpasswd_test.go

@@ -23,20 +23,37 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestHtpasswdAuth(t *testing.T) {
 	client := fake.NewFakeClient(
+		&v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "notmatched",
+				Namespace: metav1.NamespaceDefault,
+				Annotations: map[string]string{
+					AnnotationAuthType:  "basic",
+					AnnotationAuthRealm: "*",
+				},
+			},
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				// user=notmatched, pass=notmatched
+				"auth": []byte("notmatched:$apr1$4W6cRE66$iANZepJfRTrpk3OxlzxAC0"),
+			},
+		},
 		&v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example1",
 				Namespace: metav1.NamespaceDefault,
-				Labels: map[string]string{
-					LabelAuthType:  "basic",
-					LabelAuthRealm: "*",
+				Labels:    map[string]string{"app": "authserver"},
+				Annotations: map[string]string{
+					AnnotationAuthType:  "basic",
+					AnnotationAuthRealm: "*",
 				},
 			},
 			Type: v1.SecretTypeOpaque,
@@ -45,14 +62,14 @@ func TestHtpasswdAuth(t *testing.T) {
 				"auth": []byte("example1:$apr1$WBCC5B.w$fUu8qiKG/rLdMs3OTy9gc0"),
 			},
 		},
-
 		&v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example2",
 				Namespace: metav1.NamespaceDefault,
-				Labels: map[string]string{
-					LabelAuthType:  "basic",
-					LabelAuthRealm: "*",
+				Labels:    map[string]string{"app": "authserver"},
+				Annotations: map[string]string{
+					AnnotationAuthType:  "basic",
+					AnnotationAuthRealm: "*",
 				},
 			},
 			Type: v1.SecretTypeOpaque,
@@ -65,9 +82,10 @@ func TestHtpasswdAuth(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example3",
 				Namespace: metav1.NamespaceDefault,
-				Labels: map[string]string{
-					LabelAuthType:  "basic",
-					LabelAuthRealm: "example3",
+				Labels:    map[string]string{"app": "authserver"},
+				Annotations: map[string]string{
+					AnnotationAuthType:  "basic",
+					AnnotationAuthRealm: "example3",
 				},
 			},
 			Type: v1.SecretTypeOpaque,
@@ -78,19 +96,26 @@ func TestHtpasswdAuth(t *testing.T) {
 		},
 	)
 
+	selector, err := labels.Parse("app=authserver")
+	if err != nil {
+		t.Fatalf("failed to parse selector: %s", err)
+	}
+
 	auth := Htpasswd{
-		Log:       log.NullLogger{},
-		Realm:     "default",
-		Client:    client,
-		Passwords: nil,
+		Log:      log.NullLogger{},
+		Realm:    "default",
+		Client:   client,
+		Selector: selector,
 	}
 
-	_, err := auth.Reconcile(ctrl.Request{})
+	_, err = auth.Reconcile(ctrl.Request{})
 	assert.NoError(t, err, "reconciliation should not have failed")
 	assert.NotNil(t, auth.Passwords, "reconciliation should have set a htpasswd file")
 	assert.True(t, auth.Match("example1", "example1"), "auth for example1:example1 should have succeeded")
 	assert.True(t, auth.Match("example2", "example2"), "auth for example2:example2 should have succeeded")
 	assert.False(t, auth.Match("example3", "example3"), "auth for example3:example3 should have failed (wrong realm)")
+	assert.False(t, auth.Match("notmatched", "notmatched"),
+		"auth for notmatched:notmatched should have failed (filtered by label selector)")
 
 	// Check an unauthorized response.
 	response, err := auth.Check(context.TODO(), &Request{

pkg/cli/htpasswd.go

@@ -19,6 +19,7 @@ import (
 	"github.com/projectcontour/contour-authserver/pkg/auth"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -52,10 +53,16 @@ func NewHtpasswdCommand() *cobra.Command {
 				return ExitErrorf(EX_CONFIG, "failed to create controller manager: %s", err)
 			}
 
+			secretsSelector, err := labels.Parse(mustString(cmd.Flags().GetString("selector")))
+			if err != nil {
+				return ExitErrorf(EX_CONFIG, "failed to parse secrets selector: %s", err)
+			}
+
 			htpasswd := &auth.Htpasswd{
-				Log:    log,
-				Client: mgr.GetClient(),
-				Realm:  mustString(cmd.Flags().GetString("auth-realm")),
+				Log:      log,
+				Client:   mgr.GetClient(),
+				Realm:    mustString(cmd.Flags().GetString("auth-realm")),
+				Selector: secretsSelector,
 			}
 
 			if err := htpasswd.RegisterWithManager(mgr); err != nil {
@@ -128,6 +135,7 @@ func NewHtpasswdCommand() *cobra.Command {
 	// Controller flags.
 	cmd.Flags().String("metrics-address", ":8080", "The address the metrics endpoint binds to.")
 	cmd.Flags().StringSlice("watch-namespaces", []string{}, "The list of namespaces to watch for Secrets.")
+	cmd.Flags().String("selector", "", "Selector (label-query) to filter Secrets, supports '=', '==', and '!='.")
 
 	// GRPC flags.
 	cmd.Flags().String("address", ":9090", "The address the authentication endpoint binds to.")